BIG-IQ Centralized Management 8.4.1 :: Fixes and Known Issues
Version: 8.4.1
Build: 90.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
| The blue background highlights fixes |
Known Issues in BIG-IQ CM v8.4.x
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 974093-6 | CVE-2020-25705 | K09604370 | Linux kernel vulnerability CVE-2020-25705 | 8.4.1 |
| 940317-12 | CVE-2020-13692 | K23157312, BT940317 | CVE-2020-13692: PostgreSQL JDBC Driver vulnerability | 8.4.1, 8.4.0, 8.2.0 |
| 933501-2 | CVE-2021-22974 | K68652018 | iControl REST vulnerability CVE-2021-22974 | 8.4.1 |
| 2140641-6 | CVE-2025-40778 | K000157334 | CVE-2025-40778: Bind Vulnerability | 8.4.1 |
| 2140621-5 | CVE-2025-8677 | K000157317, BT2140621 | CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling | 8.4.1 |
| 2013225-2 | CVE-2021-34798 | K72382141 | CVE-2021-34798: Apache HTTP Server NULL pointer dereference via malformed requests (availability/DoS) | 8.4.1 |
| 1620285 | CVE-2024-38477 | K000140784 | CVE-2024-38477 Apache HTTPD vulnerability | 8.4.1 |
| 1061969-24 | CVE-2015-3166, CVE-2019-10208, CVE-2021-32027, CVE-2020-25695, CVE-2019-10127, CVE-2016-0766, CVE-2018-10925, CVE-2020-25694, CVE-2019-10128, CVE-2020-25696, CVE-2016-0773, CVE-2018-10915, CVE-2020-14350, CVE-2020-14349, CVE-2021-32028, CVE-2020-1720, CVE-2021-32029, CVE-2017-7485, CVE-2014-0066, CVE-2015-5289, CVE-2014-0063, CVE-2014-0062, CVE-2014-0065, CVE-2014-0060, CVE-2014-0061, CVE-2014-0064, CVE-2019-10130 | K000149329, BT1061969 | Postgresql package upgrade to 15.0 version | 8.4.1 |
| 1004881-9 | CVE-2015-9251,CVE-2016-7103,CVE-2017-18214,CVE-2018-16487,CVE-2018-3721,CVE-2019-1010266,CVE-2019-10744,CVE-2019-10768,CVE-2019-10768,CVE-2019-11358,CVE-2020-11022,CVE-2020-11023,CVE-2020-28168,CVE-2020-28500,CVE-2020-7676,CVE-2020-7676,CVE-2020-8203,CVE-2021-23337 | K12492858, BT1004881 | Update angular, jquery, moment, axios, and lodash libraries in AGC | 8.4.1 |
| 993681-7 | CVE-2019-18282 | K32380005, BT993681 | CVE-2019-18282 Kernel: Device Tracking Vulnerability | 8.4.1 |
| 989373-8 | CVE-2020-14314 | K67830124, BT989373 | CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem | 8.4.1 |
| 987813-7 | CVE-2020-25643 | K65234135, BT987813 | CVE-2020-25643 kernel:improper input validation in the ppp_cp_parse_cr function | 8.4.1 |
| 987749-10 | CVE-2020-10769 | K62532228, BT987749 | CVE-2020-10769 kernel: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c | 8.4.1 |
| 981885-5 | CVE-2020-8285 | K61186963 | CVE-2020-8285 curl: malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used | 8.4.1 |
| 975605-7 | CVE-2018-1122 | K00409335, BT975605 | CVE-2018-1122 procps-ng, procps: Local privilege escalation in top | 8.4.1 |
| 973409-9 | CVE-2020-1971 | K42910051, BT973409 | CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference | 8.4.1 |
| 968737-3 | CVE-2018-18397 | K83102920, BT968737 | CVE-2018-18397 : kernel: userfaultfd bypasses tmpfs file permissions | 8.4.1 |
| 968725-7 | CVE-2017-10661 | K04337834, BT968725 | Linux Kernel Vulnerability CVE-2017-10661 | 8.4.1 |
| 950605-1 | CVE-2020-14145 | K48050136, BT950605 | Openssh insecure client negotiation CVE-2020-14145 | 8.4.1 |
| 949889-8 | CVE-2019-3900 | K04107324, BT949889 | CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() | 8.4.1 |
| 945421-8 | CVE-2020-1968 | K92451315, BT945421 | CVE-2020-1968: Raccoon vulnerability | 8.4.1 |
| 945109-13 | CVE-2015-9382 | K46641512, BT945109 | Freetype Parser Skip Token Vulnerability CVE-2015-9382 | 8.4.1, 8.2.0 |
| 945033-9 | CVE-2019-9636, CVE-2019-10160 | K57542514, BT945033 | Python Vulnerability (CVE-2019-9636): Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization | 8.4.1 |
| 928901-7 | CVE-2020-11022 | K02453220 | jQuery vulnerability CVE-2020-11022 | 8.4.1 |
| 915981-7 | CVE-2022-26340 | K38271531, BT915981 | BIG-IP SCP hardening | 8.4.1 |
| 845381-10 | CVE-2018-14468 | K04367730 | CVE-2018-14468 - TCPDUMP Buffer Over-Read Vulnerability in FRF.16 Parser | 8.4.1 |
| 838697 | CVE-2020-5923 | K05975972 | CVE-2020-5923 - Self IP Port Lockdown Bypass Vulnerability | 8.4.1 |
| 834153-6 | CVE-2019-13232 | K80311892 | CVE-2019-13232 unzip: overlapping of files in ZIP container | 8.4.1 |
| 832757-7 | CVE-2017-18551 | K48073202, BT832757 | Linux kernel vulnerability CVE-2017-18551 | 8.4.1 |
| 823877-15 | CVE-2019-10098 CVE-2020-1927 |
K25126370, BT823877 | CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability | 8.4.1 |
| 819053-8 | CVE-2019-13232 | K80311892, BT819053 | CVE-2019-13232 unzip: overlapping of files in ZIP container | 8.4.1 |
| 816413-3 | CVE-2019-1125 | K31085564, BT816413 | CVE-2019-1125: Spectre SWAPGS Gadget | 8.4.1 |
| 805793 | CVE-2018-20843 | K51011533 | CVE-2018-20843: libexpat XML parser denial-of-service via excessive colons in XML names (fixed in BIG-IQ 8.4.1) | 8.4.1 |
| 798889-1 | CVE-2018-20836 | K11225249, BT798889 | CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free | 8.4.1 |
| 760895-1 | CVE-2009-5155 | K64119434, BT760895 | CVE-2009-5155 glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result | 8.4.1 |
| 757604-8 | CVE-2019-6109 CVE-2019-6110 CVE-2019-6111 CVE-2018-20685 |
K12252011 | Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111 | 8.4.1 |
| 740321-6 | CVE-2022-34851 | K50310001, BT740321 | iControl SOAP API does not follow current best practices | 8.4.1 |
| 617963 | CVE-2015-1283 | K15104541 | CVE-2015-1283: Heap-buffer-overflow in expat. | 8.4.1 |
| 1983321-4 | CVE-2025-48976 | K000152614, BT1983321 | CVE-2025-48976 apache-commons-fileupload: Apache Commons FileUpload DoS via part headers | 8.4.1 |
| 1966849-7 | CVE-2023-5869 | K000152931, BT1966849 | CVE-2023-5869 postgresql: Buffer overrun from integer overflow in array modification | 8.4.1 |
| 1928541 | CVE-2019-10164 | K000150943 | CVE-2019-10164 - PostgreSQL Stack-Based Buffer Overflow via Password Change | 8.4.1 |
| 1858553-2 | CVE-2021-32027 | K000151082 | PostgreSQL vulnerability CVE-2021-32027 | 8.4.1 |
| 1678793-8 | CVE-2019-14863 | K000141459, BT1678793 | CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes | 8.4.1 |
| 1678777-9 | CVE-2022-25869 | K000141459, BT1678777 | CVE-2022-25869 angular.js : insecure page caching in the browser, which allows interpolation of <textarea> elements. | 8.4.1 |
| 1589661-4 | CVE-2019-3860 | K000149288, BT1589661 | CVE-2019-3860 libssh2: Out-of-bounds reads with specially crafted SFTP packets | 8.4.1 |
| 1589645-4 | CVE-2019-3859 | K000149288, BT1589645 | CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read | 8.4.1 |
| 1589489-1 | CVE-2019-3858 | K000148713 | libssh Vulnerability CVE-2019-3858 | 8.4.1 |
| 1517561-4 | CVE-2023-28484 | K000139641, BT1517561 | CVE-2023-28484 libxml2: NULL dereference in xmlSchemaFixupComplexType | 8.4.1 |
| 1407837-1 | CVE-2020-22218 | K000138219, BT1407837 | libssh2 vulnerability CVE-2020-22218 | 8.4.1 |
| 1393733-6 | CVE-2022-43750 | K000139700, BT1393733 | CVE-2022-43750 kernel: memory corruption in usbmon driver | 8.4.1 |
| 1366025-15 | CVE-2023-44487 | K000137106, BT1366025 | A particular HTTP/2 sequence may cause high CPU utilization. | 8.4.1 |
| 1330721-7 | CVE-2018-12115, CVE-2018-12116, CVE-2018-7167 | K000137093, BT1330721 | Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116 | 8.4.1 |
| 1327169-6 | CVE-2023-24329 | K000135921, BT1327169 | CVE-2023-24329 python: urllib.parse url blocklisting bypass | 8.4.1 |
| 1270257-7 | CVE-2023-0662 | K000133753, BT1270257 | CVE-2023-0662 php: DoS vulnerability when parsing multipart request body | 8.4.1 |
| 1266853-11 | CVE-2023-24998 | K000133052, BT1266853 | CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts | 8.4.1 |
| 1167897-10 | CVE-2022-40674 | K44454157, BT1167897 | [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 8.4.1, 8.3.0 |
| 1099365-6 | CVE-2018-25032 | K21548854 | CVE-2018-25032 [NodeJS]zlib: A flaw found in zlib, when compressing (not decompressing!) certain inputs. | 8.4.1 |
| 1093685-6 | CVE-2021-4083 | K52379673, BT1093685 | CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it | 8.4.1 |
| 1089921-7 | CVE-2022-0359 | K08827426, BT1089921 | Vim vulnerability CVE-2022-0359 | 8.4.1 |
| 1089233-6 | CVE-2022-0492 | K54724312 | CVE-2022-0492 Linux kernel vulnerability | 8.4.1 |
| 1088445-10 | CVE-2022-22720 | K67090077, BT1088445 | CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body | 8.4.1 |
| 1086325-9 | CVE-2016-4658 | K49419538, BT1086325 | CVE-2016-4658 libxml2 vulnerability | 8.4.1 |
| 1070905-1 | CVE-2017-7656 | K21054458, BT1070905 | CVE-2017-7656 jetty: HTTP request smuggling using the range header | 8.4.1 |
| 1058701 | CVE-2021-25219 | K77326807 | CVE-2021-25219 : BIND exploitation of broken authoritative servers | 8.4.1 |
| 1057393-4 | CVE-2019-18197 | K10812540, BT1057393 | CVE-2019-18197 libxslt vulnerability: use after free in xsltCopyText | 8.4.1 |
| 1057141-1 | CVE-2018-14647 | K000151007, BT1057141 | CVE-2018-14647 python: Missing salt initialization in _elementtree.c module | 8.4.1 |
| 1043977-7 | CVE-2021-3672 CVE-2021-22931 |
K53225395, BT1043977 | CVE-2021-3672 CVE-2021-22931 NodeJS Vulnerabilities in iAppLX | 8.4.1 |
| 1041141-1 | CVE-2021-35942 | K98121587, BT1041141 | CVE-2021-35942 glibc: Arbitrary read in wordexp() | 8.4.1 |
| 1035781-2 | CVE-2021-33909 | K75133288, BT1035781 | CVE-2021-33909: Linux Kernel Vulnerability | 8.4.1 |
| 1021245-4 | CVE-2019-20907 | K78284681, BT1021245 | CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive | 8.4.1 |
| 1017965-7 | CVE-2021-25214 | K11426315, BT1017965 | BIND Vulnerability CVE-2021-25214 | 8.4.1 |
| 1016657-6 | CVE-2022-26517 | K54082580, BT1016657 | TMM may crash while processing LSN traffic | 8.4.1 |
| 1001369-5 | CVE-2020-12049 | K16729408, BT1001369 | D-Bus vulnerability CVE-2020-12049 | 8.4.1 |
| 939421-8 | CVE-2020-10029 | K38481791, BT939421 | CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow | 8.4.1 |
| 887637-6 | CVE-2019-3815 | K22040951, BT887637 | Systemd-journald Vulnerability: CVE-2019-3815 | 8.4.1 |
| 713971-3 | CVE-2018-0739 | K08044291 | CVE-2018-0739: OpenSSL Vulnerability | 8.4.1 |
| 2113093-2 | CVE-2021-3393 | K000149073 | CVE-2021-3393: Partition constraint violation errors leak values of denied columns | 8.4.1 |
| 1921301 | CVE-2021-32028 CVE-2021-32029 | K000150746 | PostgreSQL Memory Disclosure Vulnerabilities | 8.4.1 |
| 1692917-4 | CVE-2024-6232 | K000148252, BT1692917 | CVE-2024-6232 CPython Tarfile vulnerability | 8.4.1 |
| 1586537-8 | CVE-2024-0985 | K000140188, BT1586537 | CVE-2024-0985 postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL | 8.4.1 |
| 1566997-1 | CVE-2016-10349 | K000148259, BT1566997 | CVE-2016-10349 libarchive: Heap-based buffer over-read in the archive_le32dec function | 8.4.1 |
| 1566533-6 | CVE-2017-18342 | K000139901, BT1566533 | CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code | 8.4.1 |
| 1561689-1 | CVE-2016-10350 | K000148259, BT1561689 | CVE-2016-10350 libarchive: Heap-based buffer over-read in the archive_read_format_cab_read_header function | 8.4.1 |
| 1474757-4 | CVE-2023-51385 | K000138827, BT1474757 | CVE-2023-51385 openssh: potential command injection via shell metacharacters | 8.4.1 |
| 1470177-5 | CVE-2023-46218 | K000138650, BT1470177 | CVE-2023-46218 curl: information disclosure by exploiting a mixed case flaw | 8.4.1 |
| 1330801-7 | CVE-2018-12123, CVE-2018-12121, CVE-2018-12122 | K000137090, BT1330801 | NodeJS Vulnerability CVE-2018-12123, CVE-2018-12121, CVE-2018-12122 | 8.4.1 |
| 1304081-1 | CVE-2023-2650 | K000135178, BT1304081 | CVE-2023-2650 openssl: Possible DoS translating ASN.1 object identifiers | 8.4.1 |
| 965545-13 | CVE-2020-27617 | K41142448, BT965545 | CVE-2020-27617 : QEMU Vulnerability | 8.4.1 |
| 872109-15 | CVE-2019-17563 | K24551552, BT872109 | CVE-2019-17563: Tomcat Vulnerability | 8.4.1 |
| 1678769-8 | CVE-2023-26116 | K000141463, BT1678769 | CVE-2023-26116 angularjs: Regular Expression Denial of Service via angular.copy() | 8.4.1 |
| 1673161-5 | CVE-2023-45853 | K000149884, BT1673161 | CVE-2023-45853 zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6 | 8.4.1 |
| 1623197-4 | CVE-2024-37891 | K000140711, BT1623197 | CVE-2024-37891 urllib3: proxy-authorization request header is not stripped during cross-origin redirects | 8.4.1 |
Functional Change Fixes
None
BIG-IQ System User Interface Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1038149 | 2-Critical | WS-2019-0063 | 8.4.1, 8.3.0 |
BIG-IQ Local Traffic & Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1988937-2 | 3-Major | Inability to overwrite an existing cert bundle due to excessive calls to certificate-management | 8.4.1 | |
| 1921553-2 | 3-Major | Re-import LTM service with log filter fail with error "Failed copying from source to target: java.lang.RuntimeException: not authenticated" | 8.4.1 |
REST Framework and TMOS Platform Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1925461-11 | 0-Unspecified | CVE-2016-2053 Linux Kernel Vulnerability | 8.4.1 | |
| 1923997-9 | 0-Unspecified | CVE-2023-1668-openvswitch: ip proto 0 triggers incorrect handling | 8.4.1 | |
| 1923817-8 | 0-Unspecified | CVE-2017-11499: Constant Hashtable Seeds vulnerability (NodeJS v6.9.1) | 8.4.1 | |
| 2140909 | 2-Critical | BT2140909 | BIG-IQ: Enable F5 Trusted CA store avoid CA pinning | 8.4.1, 8.3.0 |
| 2137581-9 | 2-Critical | TMM core may occur under certain conditions | 8.4.1 | |
| 725045 | 3-Major | SNMP traps do not follow current best practices | 8.4.1 | |
| 2162989 | 3-Major | BIG-IQ CM is unable to request full cert bundle from Venafi | 8.4.1 | |
| 2149233-6 | 3-Major | TMM crashes when using SSL | 8.4.1 | |
| 2141245-4 | 3-Major | Undisclosed traffic to TMM can lead to resource exhaustion | 8.4.1 | |
| 2131233-3 | 3-Major | ADM not functioning properly | 8.4.1 | |
| 2130601-5 | 3-Major | TMUI Request Processing Improvement | 8.4.1 | |
| 2014237-2 | 3-Major | CVE-2022-29154: rsync client path validation issue may allow overwrite of arbitrary files in target directory | 8.4.1 | |
| 1450481-4 | 3-Major | TMSH hardening | 8.4.1 | |
| 1271341-8 | 3-Major | Unable to use DTLS without TMM crashing | 8.4.1 | |
| 1173825-5 | 3-Major | Improper sanitisation in Qkview data | 8.4.1 | |
| 1093933-6 | 3-Major | CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | 8.4.1 | |
| 1753617-8 | 4-Minor | CVE-2023-24621 Untrusted Polymorphic Deserialization to Java Classes | 8.4.1 | |
| 1144421-1 | 4-Minor | CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation | 8.4.1 | |
| 1069949-5 | 4-Minor | CVE-2018-1000007 curl: HTTP authentication leak in redirects | 8.4.1 | |
| 1061485-7 | 4-Minor | CVE-2019-19527: Linux kernel vulnerability | 8.4.1 | |
| 1059229-1 | 4-Minor | CVE-2019-16994 kernel: Memory leak in sit_init_net() in net/ipv6/sit.c | 8.4.1 | |
| 1058197-7 | 4-Minor | CVE-2019-14973: LibTIFF Vulnerability | 8.4.1 | |
| 1052437-1 | 4-Minor | CVE-2019-19532 kernel: malicious USB devices can lead to multiple out-of-bounds write | 8.4.1 | |
| 1052433-1 | 4-Minor | CVE-2019-19530: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver | 8.4.1 | |
| 1052333-12 | 4-Minor | CVE-2018-16885: Linux kernel vulnerability | 8.4.1 | |
| 1052253-12 | 4-Minor | CVE-2018-13095 kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c | 8.4.1 | |
| 1052249-11 | 4-Minor | CVE-2018-13094 kernel: NULL pointer dereference in xfs_da_shrink_inode function | 8.4.1 | |
| 1052245-6 | 4-Minor | CVE-2018-13093 kernel: NULL pointer dereference in lookup_slow function | 8.4.1 | |
| 1052217-11 | 4-Minor | CVE-2018-19985 kernel: oob memory read in hso_probe in drivers/net/usb/hso.c | 8.4.1 | |
| 1051869-6 | 4-Minor | CVE-2018-20169: Linux kernel vulnerability | 8.4.1 | |
| 1051769-5 | 4-Minor | CVE-2019-10140 kernel: overlayfs: NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c | 8.4.1 | |
| 1051697-8 | 4-Minor | CVE-2019-11833 kernel: fs/ext4/extents.c leads to information disclosure | 8.4.1 |
BIG-IQ Collection Services Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1966465 | 2-Critical | BIG-IQ unable to register with Azure IoT Hub | 8.4.1, 8.4.0 |
Cumulative fix details for BIG-IQ CM v8.4.1 that are included in this release
987749-10 : CVE-2020-10769 kernel: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c
981885-5 : CVE-2020-8285 curl: malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used
Links to More Info: K61186963
974093-6 : Linux kernel vulnerability CVE-2020-25705
Links to More Info: K09604370
949889-8 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()
945033-9 : Python Vulnerability (CVE-2019-9636): Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization
939421-8 : CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow
933501-2 : iControl REST vulnerability CVE-2021-22974
Links to More Info: K68652018
928901-7 : jQuery vulnerability CVE-2020-11022
Links to More Info: K02453220
845381-10 : CVE-2018-14468 - TCPDUMP Buffer Over-Read Vulnerability in FRF.16 Parser
Links to More Info: K04367730
838697 : CVE-2020-5923 - Self IP Port Lockdown Bypass Vulnerability
Links to More Info: K05975972
834153-6 : CVE-2019-13232 unzip: overlapping of files in ZIP container
Links to More Info: K80311892
805793 : CVE-2018-20843: libexpat XML parser denial-of-service via excessive colons in XML names (fixed in BIG-IQ 8.4.1)
Links to More Info: K51011533
798889-1 : CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free
760895-1 : CVE-2009-5155 glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result
757604-8 : Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111
Links to More Info: K12252011
725045 : SNMP traps do not follow current best practices
Component: REST Framework and TMOS Platform
Symptoms:
SNMP traps do not follow current best practices
Impact:
SNMP traps do not follow current best practices
Fix:
SNMP traps now follow current best practices
Fixed Versions:
8.4.1
713971-3 : CVE-2018-0739: OpenSSL Vulnerability
Links to More Info: K08044291
617963 : CVE-2015-1283: Heap-buffer-overflow in expat.
Links to More Info: K15104541
2162989 : BIG-IQ CM is unable to request full cert bundle from Venafi
Component: REST Framework and TMOS Platform
Symptoms:
Currently, when BIG-IQ sends the certificate retrieval request to Venafi, it does not send 'includeChain=true'. Thus, BIG-IQ does not get the full chain bundle of certs(leaf, intermediate, root). BIG-IQ gets only the leaf cert, and the leaf cert is imported into BIG-IQ.
Conditions:
This occurs when BIG-IQ creates the Venafi-signed certificate and retrieves the certificate from Venafi.
Impact:
BIG-IQ has the leaf certificate only instead of the full bundle(leaf, intermediate, root), and the same is deployed to BIG-IP ssl profiles. When the completed bundle is not available, ssl hand sake fails.
Fix:
Now BIG-IQ is able to retrieve the full bundle(leaf, intermediate, root) from Venafi and is able to deploy on BIG-IP.
Fixed Versions:
8.4.1
2149233-6 : TMM crashes when using SSL
Component: REST Framework and TMOS Platform
Symptoms:
Under certain SSL condition, TMM crashes.
Conditions:
When SSL is configured
Impact:
Traffic is disrupted.
Fix:
TMM working properly now.
Fixed Versions:
8.4.1
2141245-4 : Undisclosed traffic to TMM can lead to resource exhaustion
Component: REST Framework and TMOS Platform
Symptoms:
Certain traffic sent to TMM is leading to resource exhaustion.
Conditions:
Undisclosed conditions
Impact:
TMM Resource exhaustion
Fix:
DNS LDNS API correction.
Fixed Versions:
8.4.1
2140909 : BIG-IQ: Enable F5 Trusted CA store avoid CA pinning
Links to More Info: BT2140909
Component: REST Framework and TMOS Platform
Symptoms:
F5 products can only successfully connect to web services with Entrust SSL certificates, and Entrust has ceased CA operations.
Conditions:
The file /config/ssl/ssl.crt/f5-ca-bundle.crt contains only a single Entrust Root CA certificate.
Impact:
F5 devices are not able to download the blended CA bundle.
Workaround:
Manually upgrade f5-ca-bundle.crt, follow this KB article for detailed steps https://my.f5.com/manage/s/article/K000157916
Fix:
Updated the f5-ca-bundle.crt in BIG-IQ v8.4.1
Fixed Versions:
8.4.1, 8.3.0
2140641-6 : CVE-2025-40778: Bind Vulnerability
Links to More Info: K000157334
2140621-5 : CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling
Links to More Info: K000157317, BT2140621
2137581-9 : TMM core may occur under certain conditions
Component: REST Framework and TMOS Platform
Symptoms:
Under certain SSL conditions, TMM could encounter a core.
Conditions:
NA
Impact:
Traffic is disrupted while the TMM process restarts.
Workaround:
Set the 'Alert Timeout' value to a specific value, say 5 seconds, instead of the default 'indefinite' value, in ALL client-ssl AND server-ssl profiles.
Configuration Steps
-------------------
GUI Path:
Local Traffic ›› Profiles : SSL : Client ›› clientssl → Alert Timeout = 5 seconds
Local Traffic ›› Profiles : SSL : Server ›› serverssl → Alert Timeout = 5 seconds
TMSH Command:
(tmos)# modify ltm profile client-ssl clientssl alert-timeout 5
(tmos)# modify ltm profile server-ssl serverssl alert-timeout 5
Fix:
TMM able to work properly.
Fixed Versions:
8.4.1
2131233-3 : ADM not functioning properly
Component: REST Framework and TMOS Platform
Symptoms:
ADM handling high concentration of HTTP/2.0 traffic is utilizing high resources from TMM.
Conditions:
When ADM is configured
Impact:
TMM resources are getting exhausted.
Workaround:
Disabling ADM
Fixed Versions:
8.4.1
2130601-5 : TMUI Request Processing Improvement
Component: REST Framework and TMOS Platform
Symptoms:
TMUI may not properly process certain requests in specific scenarios.
Conditions:
NA
Impact:
Unexpected behavior
Workaround:
NA
Fix:
TMUI now processes requests as expected.
Fixed Versions:
8.4.1
2113093-2 : CVE-2021-3393: Partition constraint violation errors leak values of denied columns
Links to More Info: K000149073
2014237-2 : CVE-2022-29154: rsync client path validation issue may allow overwrite of arbitrary files in target directory
Component: REST Framework and TMOS Platform
Symptoms:
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).
Conditions:
NA
Impact:
Potential overwrite of arbitrary files within the rsync target directory tree, which may lead to further exploitation.
Workaround:
NA
Fix:
This issue is addressed by the rsync update/patch included with the associated TMOS fix (see internal BIG-IP bug 1937381 and patch attachment 253673).
Fixed Versions:
8.4.1
2013225-2 : CVE-2021-34798: Apache HTTP Server NULL pointer dereference via malformed requests (availability/DoS)
Links to More Info: K72382141
1988937-2 : Inability to overwrite an existing cert bundle due to excessive calls to certificate-management
Component: BIG-IQ Local Traffic & Management
Symptoms:
Unable to Overwrite Certificate Bundle.
Conditions:
Importing a Certificate by "Overwriting Existing" option.
Impact:
Fails to update or overwrite the Certificate Bundle.
Workaround:
None.
Fix:
Certificate bundle is now overwritten as expected.
Fixed Versions:
8.4.1
1983321-4 : CVE-2025-48976 apache-commons-fileupload: Apache Commons FileUpload DoS via part headers
Links to More Info: K000152614, BT1983321
1966849-7 : CVE-2023-5869 postgresql: Buffer overrun from integer overflow in array modification
Links to More Info: K000152931, BT1966849
1928541 : CVE-2019-10164 - PostgreSQL Stack-Based Buffer Overflow via Password Change
Links to More Info: K000150943
1925461-11 : CVE-2016-2053 Linux Kernel Vulnerability
Component: REST Framework and TMOS Platform
Symptoms:
The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel before 4.3 allows attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c.
Conditions:
NA
Impact:
It can lead to DoS and will compromise system availability.
Workaround:
NA
Fix:
DoS issue has been resolved.
Fixed Versions:
8.4.1
1923997-9 : CVE-2023-1668-openvswitch: ip proto 0 triggers incorrect handling
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.
Conditions:
Open vSwitch is running a vulnerable version and processes an IP packet with protocol value 0, causing an incorrect datapath flow to be installed with wildcarded nw_proto.
Impact:
It can cause incorrect handling or misrouting of other IP packets, potentially leading to traffic disruption or denial of service.
Workaround:
Upgrade to a patched Open vSwitch version and avoid processing or allowing malformed IP packets with protocol value 0.
Fix:
Upgrade to a patched Open vSwitch version that correctly handles IP packets with protocol value 0.
Fixed Versions:
8.4.1
1923817-8 : CVE-2017-11499: Constant Hashtable Seeds vulnerability (NodeJS v6.9.1)
Component: REST Framework and TMOS Platform
Symptoms:
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.
Conditions:
The application runs a vulnerable Node.js version and processes attacker-controlled inputs that result in many hash collisions (e.g., crafted object keys), allowing hash flooding.
Impact:
It can cause high CPU usage and event loop blocking, leading to a remote denial of service.
Workaround:
Upgrade to a fixed Node.js version, or rebuild Node.js without V8 snapshots and limit or validate untrusted input sizes.
Fix:
Upgrade to a Node.js version where the HashTable seed is properly randomized at startup.
Fixed Versions:
8.4.1
1921553-2 : Re-import LTM service with log filter fail with error "Failed copying from source to target: java.lang.RuntimeException: not authenticated"
Component: BIG-IQ Local Traffic & Management
Symptoms:
Re-import fails with the error for LTM service.
Conditions:
After modifying LTM object on BIG-IQ and then triggering a rediscover/re-import, rediscover will succeed but re-import will fail. When prompted with "Resolve Import Conflicts" pop-up window, selecting BIG-IP to replace changes on BIG-IQ, the re-import task will commence but eventually fail.
Impact:
Re-import fails with error.
Workaround:
None.
Fix:
Re-import is now working properly.
Fixed Versions:
8.4.1
1921301 : PostgreSQL Memory Disclosure Vulnerabilities
Links to More Info: K000150746
1858553-2 : PostgreSQL vulnerability CVE-2021-32027
Links to More Info: K000151082
1753617-8 : CVE-2023-24621 Untrusted Polymorphic Deserialization to Java Classes
Component: REST Framework and TMOS Platform
Symptoms:
It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.
Conditions:
yamlbeans versions before 1.15 are vulnerable
Impact:
It can result in remote code execution (RCE) or denial of service.
Workaround:
N/A
Fix:
yamlbeans has been patched to address this vulnerability.
Fixed Versions:
8.4.1
1692917-4 : CVE-2024-6232 CPython Tarfile vulnerability
Links to More Info: K000148252, BT1692917
1678793-8 : CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes
Links to More Info: K000141459, BT1678793
1678777-9 : CVE-2022-25869 angular.js : insecure page caching in the browser, which allows interpolation of <textarea> elements.
Links to More Info: K000141459, BT1678777
1678769-8 : CVE-2023-26116 angularjs: Regular Expression Denial of Service via angular.copy()
Links to More Info: K000141463, BT1678769
1673161-5 : CVE-2023-45853 zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6
Links to More Info: K000149884, BT1673161
1623197-4 : CVE-2024-37891 urllib3: proxy-authorization request header is not stripped during cross-origin redirects
Links to More Info: K000140711, BT1623197
1620285 : CVE-2024-38477 Apache HTTPD vulnerability
Links to More Info: K000140784
1589661-4 : CVE-2019-3860 libssh2: Out-of-bounds reads with specially crafted SFTP packets
Links to More Info: K000149288, BT1589661
1589645-4 : CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read
Links to More Info: K000149288, BT1589645
1589489-1 : libssh Vulnerability CVE-2019-3858
Links to More Info: K000148713
1586537-8 : CVE-2024-0985 postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL
Links to More Info: K000140188, BT1586537
1566997-1 : CVE-2016-10349 libarchive: Heap-based buffer over-read in the archive_le32dec function
Links to More Info: K000148259, BT1566997
1566533-6 : CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code
Links to More Info: K000139901, BT1566533
1561689-1 : CVE-2016-10350 libarchive: Heap-based buffer over-read in the archive_read_format_cab_read_header function
Links to More Info: K000148259, BT1561689
1517561-4 : CVE-2023-28484 libxml2: NULL dereference in xmlSchemaFixupComplexType
Links to More Info: K000139641, BT1517561
1474757-4 : CVE-2023-51385 openssh: potential command injection via shell metacharacters
Links to More Info: K000138827, BT1474757
1470177-5 : CVE-2023-46218 curl: information disclosure by exploiting a mixed case flaw
Links to More Info: K000138650, BT1470177
1450481-4 : TMSH hardening
Component: REST Framework and TMOS Platform
Symptoms:
TMSH is not following security best practices.
Conditions:
NA
Impact:
Unexpected behaviour
Workaround:
NA
Fix:
TMSH is now following security best practices.
Fixed Versions:
8.4.1
1407837-1 : libssh2 vulnerability CVE-2020-22218
Links to More Info: K000138219, BT1407837
1393733-6 : CVE-2022-43750 kernel: memory corruption in usbmon driver
Links to More Info: K000139700, BT1393733
1366025-15 : A particular HTTP/2 sequence may cause high CPU utilization.
Links to More Info: K000137106, BT1366025
1330801-7 : NodeJS Vulnerability CVE-2018-12123, CVE-2018-12121, CVE-2018-12122
Links to More Info: K000137090, BT1330801
1330721-7 : Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116
Links to More Info: K000137093, BT1330721
1327169-6 : CVE-2023-24329 python: urllib.parse url blocklisting bypass
Links to More Info: K000135921, BT1327169
1304081-1 : CVE-2023-2650 openssl: Possible DoS translating ASN.1 object identifiers
Links to More Info: K000135178, BT1304081
1271341-8 : Unable to use DTLS without TMM crashing
Component: REST Framework and TMOS Platform
Symptoms:
The TMM crashes when DTLS is used.
Conditions:
- Using DTLS.
Impact:
TMM core is observed, traffic is disrupted while TMM restarts.
Workaround:
Disable 'allow-dynamic-record-sizing' in the client-ssl profile.
Following is an example:
ltm profile client-ssl /Common/otters-ssl {
allow-dynamic-record-sizing disabled
Fixed Versions:
8.4.1
1270257-7 : CVE-2023-0662 php: DoS vulnerability when parsing multipart request body
Links to More Info: K000133753, BT1270257
1266853-11 : CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts
Links to More Info: K000133052, BT1266853
1173825-5 : Improper sanitisation in Qkview data
Component: REST Framework and TMOS Platform
Symptoms:
It was found that some of the data from Qkview dumps is improperly sanitised.
Conditions:
When using Qkview to dump data
Impact:
Improper sanitisation of data
Fix:
Qkview now properly sanitising the data.
Fixed Versions:
8.4.1
1167897-10 : [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c
1144421-1 : CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation
Component: REST Framework and TMOS Platform
Symptoms:
cpio does not properly validate the values written in the header of a TAR file through the to_oct() function. When creating a TAR file from a list of files and one of those is another TAR file with a big size, cpio will generate the resulting file with the content extracted from the input one. This leads to unexpected results as the newly generated TAR file could have files with permissions the owner of the input TAR file did not have or in paths he did not have access to.
Conditions:
Occurs when creating tar archives with unvalidated or specially crafted input filenames.
Impact:
This vulnerability may generate malformed tar files, leading to interoperability issues or unexpected behavior in downstream tools.
Workaround:
NA
Fix:
Patched python to fix the vulnerability.
Fixed Versions:
8.4.1
1099365-6 : CVE-2018-25032 [NodeJS]zlib: A flaw found in zlib, when compressing (not decompressing!) certain inputs.
Links to More Info: K21548854
1093933-6 : CVE-2020-7774 nodejs-y18n prototype pollution vulnerability
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality.
Conditions:
N/A
Impact:
Denial of service or in rare circumstances, impact to data integrity or confidentiality
Workaround:
N/A
Fix:
The library has been patched to address the vulnerability.
Fixed Versions:
8.4.1
1089233-6 : CVE-2022-0492 Linux kernel vulnerability
Links to More Info: K54724312
1088445-10 : CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body
1069949-5 : CVE-2018-1000007 curl: HTTP authentication leak in redirects
Component: REST Framework and TMOS Platform
Symptoms:
libcurl might accidentally leak authentication data to third parties.
When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value.
Sending the same set of headers to subsequent hosts is, in particular, a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy-sensitive information or data that could allow others to impersonate the libcurl-using client's request.
Conditions:
NA
Impact:
Sensitive information could be disclosed to an unauthorised user
Workaround:
NA
Fix:
Patched curl to fix the vulnerability.
Fixed Versions:
8.4.1
1061969-24 : Postgresql package upgrade to 15.0 version
Links to More Info: K000149329, BT1061969
1061485-7 : CVE-2019-19527: Linux kernel vulnerability
Component: REST Framework and TMOS Platform
Symptoms:
A vulnerability was found in hiddev_open in drivers/hid/usbhid/hiddev.c in the USB Human Interface Device class subsystem, where an existing device must be validated prior to its access. The device should also ensure the hiddev_list cleanup occurs at failure, as this may lead to a use-after-free problem, or possibly escalate privileges to an unauthorized user.
Conditions:
NA
Impact:
Unauthorised access to BIGIP device
Workaround:
NA
Fix:
Patched kernel to fix the vulnerability.
Fixed Versions:
8.4.1
1059229-1 : CVE-2019-16994 kernel: Memory leak in sit_init_net() in net/ipv6/sit.c
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was found in the way the sit_init_net function in the Linux kernel handled resource cleanup on errors. This flaw allows an attacker to use the error conditions to crash the system.
Conditions:
Linux kernel versions before 5.0
Impact:
It can result in DoS.
Workaround:
N/A
Fix:
kernel has been patched to address this vulnerability.
Fixed Versions:
8.4.1
1058701 : CVE-2021-25219 : BIND exploitation of broken authoritative servers
Links to More Info: K77326807
1058197-7 : CVE-2019-14973: LibTIFF Vulnerability
Component: REST Framework and TMOS Platform
Symptoms:
_TIFFCheckMalloc and _TIFFCheckRealloc in tif_aux.c in LibTIFF through 4.0.10 mishandle Integer Overflow checks because they rely on compiler behaviour that is undefined by the applicable C standards. This can, for example, lead to an application crash.
Conditions:
NA
Impact:
It could lead to minor disruptions in service (availability impact) and may expose or modify some non-sensitive information (confidentiality and integrity impact)
Workaround:
unauthorized users cannot access the systems
Fix:
Patched LibTIFF to fix the vulnerability.
Fixed Versions:
8.4.1
1057141-1 : CVE-2018-14647 python: Missing salt initialization in _elementtree.c module
Links to More Info: K000151007, BT1057141
1052437-1 : CVE-2019-19532 kernel: malicious USB devices can lead to multiple out-of-bounds write
Component: REST Framework and TMOS Platform
Symptoms:
In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.
Conditions:
NA
Impact:
In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.
Workaround:
NA
Fix:
Patched kernel to fix this vulnerability
Fixed Versions:
8.4.1
1052433-1 : CVE-2019-19530: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver
Component: REST Framework and TMOS Platform
Symptoms:
use-after-free flaw was found in the acm_probe USB subsystem in the Linux kernel. A race condition occurs when a destroy() procedure is initiated allowing the refcount to decrement on the interface so early that it is never undercounted. A malicious USB device is required for exploitation. System availability is the largest threat from the vulnerability, however, data integrity and confidentiality are also threatened.
Conditions:
NA
Impact:
A malicious USB device is required for exploitation. System availability is the largest threat from the vulnerability, however, data integrity and confidentiality are also threatened.
Workaround:
NA
Fix:
Patched kernel to fix this vulnerability
Fixed Versions:
8.4.1
1052333-12 : CVE-2018-16885: Linux kernel vulnerability
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length. This can cause a read beyond the buffer boundaries flaw and, in certain cases, cause a memory access fault and a system halt by accessing an invalid memory address.
Conditions:
NA
Impact:
This can cause a read beyond the buffer boundaries flaw.
Workaround:
NA
Fix:
Patched kernel to fix the vulnerability.
Fixed Versions:
8.4.1
1052253-12 : CVE-2018-13095 kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c
Component: REST Framework and TMOS Platform
Symptoms:
An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork.
Conditions:
Linux kernel version up to including 4.17.3 is vulnerable to this CVE.
Impact:
Exploitation of the vulnerability could cause the system to become unavailable (DoS).
Workaround:
NA
Fix:
Patched kernel to fix the vulnerability.
Fixed Versions:
8.4.1
1052249-11 : CVE-2018-13094 kernel: NULL pointer dereference in xfs_da_shrink_inode function
Component: REST Framework and TMOS Platform
Symptoms:
An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A NULL pointer dereference may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. This can lead to a system crash and a denial of service.
Conditions:
NA
Impact:
Exploitation of the vulnerability could cause the system to become unavailable (DoS).
Workaround:
Limit physical or local access to the system
Fix:
Patched kernel to fix the vulnerability.
Fixed Versions:
8.4.1
1052245-6 : CVE-2018-13093 kernel: NULL pointer dereference in lookup_slow function
Component: REST Framework and TMOS Platform
Symptoms:
An issue was discovered in the XFS filesystem in fs/xfs/xfs_icache.c in the Linux kernel. There is a NULL pointer dereference leading to a system panic in lookup_slow() on a NULL inode->i_ops pointer when doing path walks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during an allocation.
Conditions:
Linux kernel versions before 4.17.3 are vulnerable
Impact:
It can result in DoS.
Workaround:
N/A
Fix:
kernel has been patched to address this vulnerability.
Fixed Versions:
8.4.1
1052217-11 : CVE-2018-19985 kernel: oob memory read in hso_probe in drivers/net/usb/hso.c
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was found in the Linux kernel in the function hso_probe() which reads if_num value from the USB device (as an u8) and uses it without a length check to index an array, resulting in an OOB memory read in hso_probe() or hso_get_config_data(). An attacker with forged USB device with a physical access to a system (needed to connect such a device) can cause a system crash and a denial-of-service.
Conditions:
NA
Impact:
The primary impact of this vulnerability is a denial-of-service (DoS) due to the kernel crash
Workaround:
NA
Fix:
Patched kernel to fix the vulnerability.
Fixed Versions:
8.4.1
1051869-6 : CVE-2018-20169: Linux kernel vulnerability
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was discovered in the Linux kernel's USB subsystem in the __usb_get_extra_descriptor() function in the drivers/usb/core/usb.c which mishandles a size check during the reading of an extra descriptor data. By using a specially crafted USB device which sends a forged extra descriptor, an unprivileged user with physical access to the system can potentially cause a privilege escalation or trigger a system crash or lock up and thus to cause a denial of service (DoS).
Conditions:
NA
Impact:
Unauthorized access to sensitive information, Unauthorized modification or corruption of data
Workaround:
Limit access to the affected systems to trusted networks or users.
Fix:
Patched kernel to fix the vulnerability.
Fixed Versions:
8.4.1
1051769-5 : CVE-2019-10140 kernel: overlayfs: NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c
Component: REST Framework and TMOS Platform
Symptoms:
An attacker with local access can create a denial of service situation via a NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with the ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).
Conditions:
Linux kernel versions before 3.10 are vulnerable
Impact:
It can result in DoS.
Workaround:
N/A
Fix:
kernel has been patched to address this vulnerability.
Fixed Versions:
8.4.1
1051697-8 : CVE-2019-11833 kernel: fs/ext4/extents.c leads to information disclosure
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was found in the Linux kernels implementation of ext4 extent management which did not correctly initialize memory regions in the extent tree block which may be exported to a local user to obtain sensitive information by reading empty/uninitialized data from the filesystem.
Conditions:
Linux kernel versions before 5.1.2 are vulnerable
Impact:
It can result in information disclosure
Workaround:
N/A
Fix:
kernel has been patched to address this vulnerability.
Fixed Versions:
8.4.1
1966465 : BIG-IQ unable to register with Azure IoT Hub
Component: BIG-IQ Collection Services
Symptoms:
BIG-IQ registration with IoT Hub is failing because the current certificate has expired. As a result, BIG-IQ is unable to send usage data report to TEEMs service.
Conditions:
Usage data is enabled.
Impact:
BIG-IQ cannot send usage data to TEEMs service.
Workaround:
1. Update latest Azure certificate in restjavad.properties.json
2. Restart restjavad.
3. Send usage data report.
Fix:
Usage data report will be published to TEEMs service.
Fixed Versions:
8.4.1
1038149 : WS-2019-0063
Component: BIG-IQ System User Interface
Symptoms:
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Conditions:
This issue is only exploitable if the product uses js-yaml < 3.13.1 and parses attacker-controlled YAML using the load() API. If YAML is not coming from an untrusted external source (or if safeLoad() is used), then there is no practical exploit path.
Impact:
If an application uses js-yaml < 3.13.1 and parses attacker-controlled input with the unsafe load() API, an attacker can achieve arbitrary code execution in the process—leading to data theft, service disruption, privilege escalation or lateral movement.
Workaround:
Upgrade js-yaml to version 3.13.1 or later
Fix:
Upgrade js-yaml to version 3.13.1 or later
Fixed Versions:
8.4.1, 8.3.0
Known Issues in BIG-IQ CM v8.4.x
BIG-IQ Local Traffic & Management Issues
| ID Number | Severity | Links to More Info | Description |
| 2198921-1 | 3-Major | CSR Attributes of certificates created by custom‑role users are not visible to the same user | |
| 1935917-1 | 3-Major | BT1935917 | Non-admin users with custom permissions are unable to view certificates and keys from web UI or through iControl REST API |
| 1576437-1 | 3-Major | BT1576437 | When generating a CSR with a custom partition Venafi certificate stored in the wrong partition with 'Base64' format. |
REST Framework and TMOS Platform Issues
| ID Number | Severity | Links to More Info | Description |
| 1696741-1 | 3-Major | BT1696741 | Error: ha-quorum: Username and/or password is incorrect |
| 1079769-5 | 3-Major | BT1079769 | Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers |
BIG-IQ Web Application Security (ASM) Issues
| ID Number | Severity | Links to More Info | Description |
| 1316593-2 | 3-Major | BT1316593 | An error occurs when importing an ASM Policy containing the same URLs but with different HTTP request methods |
BIG-IQ Application Management Issues
| ID Number | Severity | Links to More Info | Description |
| 2162157-1 | 3-Major | Unable to set virtual server IP address when using an AS3 application template on the webUI | |
| 2144153-1 | 3-Major | The script parameter is shown for all monitor types instead of external monitor | |
| 2122841-1 | 3-Major | While creating Application Services, having a Monitor Type that is editable does not work | |
| 2122837-1 | 3-Major | Big-IQ: AS3 Templates All Monitor_ classes fail | |
| 2107121-1 | 3-Major | The environment variables are not displayed as key-value pairs for the external monitor type |
Known Issue details for BIG-IQ CM v8.4.x
2198921-1 : CSR Attributes of certificates created by custom‑role users are not visible to the same user
Component: BIG-IQ Local Traffic & Management
Symptoms:
When a custom-role user creates a certificate, the CSR Attributes do not appear unless an admin manually assigns the certificate to the Resource Group.
Conditions:
Occurs when a custom-role user with a custom service role (assigned Role type and Resource Group) creates a certificate using a Venafi CA provider. CSR Attributes are not visible to the creator.
Impact:
Users with custom service roles cannot view CSR Attributes for certificates they create, despite having full permissions on certificate-related objects.
Workaround:
When an admin manually adds the certificate to the Resource Group, the CSR Attributes become visible to the creator.
2162157-1 : Unable to set virtual server IP address when using an AS3 application template on the webUI
Component: BIG-IQ Application Management
Symptoms:
Only advanced schema inputs are shown for virtual address.
Conditions:
BIG-IQ v8.4.0 using AS3 application template.
Impact:
Unable to set a new IP address for virtual servers, when trying to deploy an application using BIG-IQ AS3 application templates.
Workaround:
- An EHF is available containing the fix for this issue.
- AS3 on BIG-IQ may also be downgraded to versions pre-v3.54.0 (eg. v3.41.0).
2144153-1 : The script parameter is shown for all monitor types instead of external monitor
Component: BIG-IQ Application Management
Symptoms:
The script parameter is displayed for all monitor types by default, even though it is intended to be displayed for External Monitor type.
Conditions:
Adding a Monitor Class of any monitor type.
Impact:
Displays the script parameter for unsupported monitor types.
Workaround:
None.
2122841-1 : While creating Application Services, having a Monitor Type that is editable does not work
Component: BIG-IQ Application Management
Symptoms:
When the Monitor Type is marked as editable in an Application Template, changing the Monitor Type during Application Service creation does not function by showing the respective Monitor Type definitions.
Conditions:
Monitor Type set as editable in the template and creating an Application Service using the published template.
Impact:
Monitor Type that is editable does not work during creation of application services.
Workaround:
None.
2122837-1 : Big-IQ: AS3 Templates All Monitor_ classes fail
Component: BIG-IQ Application Management
Symptoms:
Monitor_ Classes are visible in the webUI, which are definitions of Monitor Class based on monitorType.
Conditions:
Modifying Classes for an AS3 template.
Impact:
Add/Remove Classes dropdown displays "Monitor_" Classes along with the Monitor Class.
Workaround:
None.
2107121-1 : The environment variables are not displayed as key-value pairs for the external monitor type
Component: BIG-IQ Application Management
Symptoms:
When using the external monitor type, environment variables are not displayed as key-value pairs. Instead, they are shown in a single text field where values must be entered as a string.
Conditions:
Using the external monitor type in the application template and editing environment variables in the template containing Monitor class.
Impact:
Environment variables cannot be edited in the standard key-value pair format for external monitors.
Workaround:
None.
1935917-1 : Non-admin users with custom permissions are unable to view certificates and keys from web UI or through iControl REST API
Links to More Info: BT1935917
Component: BIG-IQ Local Traffic & Management
Symptoms:
- Certs and keys were previously visible for the affected user on a version pre-v8.4.0.
- Non-admin users with correct permissions are unable to view the list of certs and keys from the UI or through iControl REST API.
- Executing the following command for the affected user (eg. 'f5testuser') returns an empty set:
curl -su 'f5testuser' http://localhost:8100/mgmt/cm/adc-core/working-config/sys/file/ssl-cert | jq .
Enter host password for user 'f5testuser':
{
"items": [],
"generation": 2,
"lastUpdateMicros": 1755557580126930,
"kind": "cm:adc-core:working-config:sys:file:ssl-cert:adcsslcertcollectionstate",
"selfLink": "https://localhost/mgmt/cm/adc-core/working-config/sys/file/ssl-cert"
}
Conditions:
- BIG-IQ running on v8.4.0
Impact:
Non-admin users with custom permissions are unable to manage certificates/keys through the UI or through iControl REST API.
Workaround:
There is no workaround. Install an EHF containing the fix for ID1935917 on v8.4.0 to address this issue.
1696741-1 : Error: ha-quorum: Username and/or password is incorrect
Links to More Info: BT1696741
Component: REST Framework and TMOS Platform
Symptoms:
Setting up automatic HA failover returns an error similar to the following:
An error occurred while adding the BIG-IQ: Error: ha-secondary: Username and/or password is incorrect Error: ha-quorum: Username and/or password is incorrect Error: ha-primary: Username and/or password is incorrect
Restjavad log on primary CM would have an entry similar to the following:
[WARN][01 Jan 2024 01:00:00 UTC][/shared/ha/add-peer-task/abcdefgh-1234-abcd-1234-abcdefghijkl/worker AddPeerTaskWorker] [/bin/bash, -c, /usr/bin/ha_corosync_config.sh -p <primary_discovery_ip> -s <secondary_discovery_ip> -q <quorum_discovery_ip> -r primary -a <floating_ip> -m] failed with exit code 1, stdout: haclient:x:189:hacluster, stderr: Error: ha-quorum: Username and/or password is incorrect
Error: ha-secondary: Username and/or password is incorrect
Error: ha-primary: Username and/or password is incorrect
Conditions:
- BIG-IQ CMs and DCD (Quorum) are configured to remotely authenticate (eg. TACACS+) users for CLI access.
Impact:
The user 'hacluster' could not be authenticated remotely, hence the HA autofailover setup task fails.
Workaround:
If the issue has already occurred, the cluster would need to be rebuilt by running the following on the primary and secondary CMs and on DCDs:
ha_reset -f <device local discovery IP>
reset-data-collection-cluster
Add 'hacluster' user in the CMs and Quorum DCD's /config/bigip/auth/localusers. Note that this will not survive reboots.
Add at least one DCD into the cluster that will be used as quorum device, then configure the autofailover HA.
Use the guide in https://my.f5.com/manage/s/article/K11948 for creating a script that would add hacluster user into /config/bigip/auth/localusers everytime that the CMs and Quorum device reboot.
1576437-1 : When generating a CSR with a custom partition Venafi certificate stored in the wrong partition with 'Base64' format.
Links to More Info: BT1576437
Component: BIG-IQ Local Traffic & Management
Symptoms:
Venafi certificate is stored in the wrong partition when generating a CSR with a custom partition.
Conditions:
When generating a CSR with a custom partition in 'Base64' format.
Impact:
Venafi certificate is stored in the wrong partition
Workaround:
None
1316593-2 : An error occurs when importing an ASM Policy containing the same URLs but with different HTTP request methods
Links to More Info: BT1316593
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
BIG-IQ restjavad log file would show an error similar to the following when importing configuration from a BIG-IP ASM device:
[/cm/asm/tasks/discover-config/4e3b4176-308e-4591-8468-4ef9719efdc2/worker AsmDiscoveryTaskWorker] Error while creating 'ASM Policy - Url' 'null' in current-config: http://localhost:8100/cm/asm/current-config/policies/343a57d0-1c6f-36f0-b0a9-fb4647bbe1d5/urls, and while creating 'ASM Policy - Url' 'null' in current-config: http://localhost:8100/cm/asm/current-config/policies/343a57d0-1c6f-36f0-b0a9-fb4647bbe1d5/urls, and while creating 'ASM Policy - Url' 'null' in current-config: http://localhost:8100/cm/asm/current-config/policies/343a57d0-1c6f-36f0-b0a9-fb4647bbe1d5/urls, and while creating 'ASM Policy - Url' 'null' in current-config: http://localhost:8100/cm/asm/current-config/policies/343a57d0-1c6f-36f0-b0a9-fb4647bbe1d5/urls : java.lang.IllegalArgumentException: Duplicate item. Key already exists: protocol : http, name : /test/duplicateUrl
In this example, inspecting the affected ASM policy from the BIG-IP ASM that is being imported should reveal that one of the affected URLs would have multiple allowed URL entries for "/test/duplicateUrl", but those entries would have different HTTP request methods.
Conditions:
- Multiple entries in the ASM policy for the same URL but with different HTTP request methods.
Impact:
Unable to import ASM policy configuration from the BIG-IP ASM device.
Workaround:
The feature for having multiple entries for the same allowed URLs having different HTTP request methods is not yet implemented for BIG-IQ v8.3.0.
Avoid using multiple entries for the same allowed URLs.
If the feature is absolutely necessary, install an EHF for ID1316593.
1079769-5 : Tmm utilizing the virtio driver might crash after modifying several IPv6 virtual servers
Links to More Info: BT1079769
Component: REST Framework and TMOS Platform
Symptoms:
Tmm crash
There might be entries similar to the following in the tmm log:
notice virtio[0:7.0]: MAC filter[27]: 33:33:ff:00:10:01 - deleted
notice virtio[0:7.0]: MAC filter[27]: 33:33:ff:00:10:01 - added
Conditions:
-- The tmm is utilizing the virtio driver for network communications.
-- Many changes, of the order of at least 1900, are made to IPv6 listeners.
Impact:
Traffic disrupted while tmm restarts.
Workaround:
A work-around would be to utilize the sock driver. However, that will not perform as well.
For additional support resources and technical documentation, see:
- The F5 Technical Support website: http://www.f5.com/support/
- The MyF5 website: https://my.f5.com/manage/s/
- The F5 DevCentral website: http://community.f5.com/