Manual Chapter : BIG-IQ Centralized Management 8.4.2 :Fixes and Known Issues
BIG-IQ CM Release Information

Version: 8.4.2.1
Build: 67.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

The blue background highlights fixes

Cumulative fixes from BIG-IQ CM v8.4.2 that are included in this release
Cumulative fixes from BIG-IQ CM v8.4.1 that are included in this release
Known Issues in BIG-IQ CM v8.4.x

Fixed in this Release

ID Number Links to More Info Description Fixed Versions
2304693-12 K000162231 Improvements in HTTP/2 on TMM8.4.2.1
2264133-4 K000160975, BT2264133 TMSH improvements8.4.2.1
2252481-4 K000161023, BT2252481 Undisclosed network traffic can cause a TMM crash8.4.2.1
2229021-5 K000160876, BT2229021 iControl REST issue8.4.2.1
2227441-5 K000160916, BT2227441 Apply limitations on certain object creation8.4.2.1
2221493-6 K000160971, BT2221493 SCP Improvement8.4.2.1
2220369-5 K000160874, BT2220369 BIG-IP GUI/API Improvements8.4.2.1
2219173-5 K000160975, BT2219173 TMSH improvements8.4.2.1
2202097-6 K000160916, BT2202097 Apply limitations on certain object creation8.4.2.1
2201965-5 K000160863, BT2201965 TMSH improvement8.4.2.1
2201789-6 K000160975, BT2201789 TMSH improvements8.4.2.1
2201769-6 K000160975, BT2201769 TMSH improvements8.4.2.1
2201745-6 K000160975, BT2201745 TMSH improvements8.4.2.1
2201725-6 K000160975, BT2201725 TMSH improvements8.4.2.1
2201697-6 K000160975, BT2201697 TMSH improvements8.4.2.1
2201377-5 K000160979, BT2201377 iControl REST improvements8.4.2.1
2200437-5 K000160981, BT2200437 SNMP Improvement8.4.2.1
2200421-6 K000160981, BT2200421 SNMP Improvement8.4.2.1
2197377-4 K000160945, BT2197377 TMM crashes under specific traffic.8.4.2.1
2196137-2 K000160003, BT2196137 Issue observed only in BIG-IP 17.5.1.4: traffic processed by AFM or DDoS Hybrid Defender may cause TMM to restart8.4.2.1
2257421-5 K000161107, BT2257421 TMSH enhancements8.4.2.1
2225201-6 K000160911, BT2225201 iControl REST hardening8.4.2.1
2221689-9 K000161022, BT2221689 TMSH hardening8.4.2.1
2221169-5 K000160903, BT2221169 iControl REST Hardening8.4.2.1
2221161-9 K000161018, BT2221161 TMSH hardening8.4.2.1
2217485-6 K000161107, BT2217485 TMSH Improvements8.4.2.1
2208913-5 K000160973, BT2208913 iControl SOAP hardening8.4.2.1
929709-15 K66544153, BT929709 jQuery vulnerability CVE-2020-110238.4.2.1
2218309-8 K000160079 CVE-2025-22026 kernel: nfsd: don't ignore the return code of svc_proc_register()8.4.2.1

Functional Change Fixes

None


REST Framework and TMOS Platform Fixes

ID Number Links to More Info Description Fixed Versions
1924693-8 CVE-2020-26939 bouncycastle: Address OAEP decoding side-channel leaking RSA private exponent8.4.2.1
2228837-9 BT2228837 System Integrity Status: Unavailable on BIG-IP versions with the fix for ID21412058.4.2.1
2219053-4 CVE-2025-13878: Malformed BRID/HHIT records can cause named to terminate unexpectedly8.4.2.1
2141021-4 CVE-2025-6069 - html.parser (cpython)8.4.2.1


Cumulative fixes from BIG-IQ CM v8.4.2 that are included in this release


Fixes

ID Number Links to More Info Description Fixed Versions
2221445-5 K000160972, BT2221445 Improving scripts of Failover8.4.2.1
2221413-5 K000160971, BT2221413 SCP Improvement8.4.2.1
1967025-5 K000156581, BT1967025 Improved Permission Handling in REST SNMP Endpoint and TMSH
725912 K21344224 CVE-2018-3665: Intel Lazy FPU Vulnerability
2221517-5 K000160971 BIG-IP SCP hardening8.4.2.1
2216645-4 K000160857, BT2216645 UCS Backup Improvements8.4.2.1
2198369-1 K000157365 CVE-2022-31129 - Multiple Libraries - bigiq-analytics-ui
2198065-1 K50455702 CVE-2021-41184 - jquery-ui-1.12.1.tgz - bigiq-mgmt-ui
2198053-1 K000157365 CVE-2022-31129 - moment-2.29.1.tgz - bigiq-mgmt-ui
2198049-1 K000134507 CVE-2022-31160 - jquery-ui-1.12.1.tgz - bigiq-mgmt-ui
1966841-7 K000152931, BT1966841 CVE-2023-39417 postgresql: extension script @substitutions@ within quoting allow SQL injection
1966785-7 K000152931, BT1966785 CVE-2023-2454 postgresql: schema_element defeats protective search_path changes
1450181-2 K000156581, BT1450181 Improved Permission Handling in REST SNMP Endpoint and TMSH
1099369-6 K21548854, BT1099369 CVE-2018-25032 [NodeJS]zlib: A flaw found in zlib, when compressing (not decompressing!) certain inputs.
2053165-1 K000158112, BT2053165 CVE-2025-47268 iputils: Signed Integer Overflow in Timestamp Multiplication in iputils ping
1971593-6 K000152931 CVE-2023-2455 & CVE-2024-7348 PostgreSQL Vulnerabilities
1966793-8 K000152931 CVE-2023-2455 postgresql: row security policies disregard user ID changes after inlining.
1928545 K000150943 Postgres CVE-2020-14349: An uncontrolled search path element vulnerability in logical replication.
1814405-2 K000150814 CVE-2024-11187- Bind Vulnerability
1324085-11 K000137969, BT1324085 Multiple OpenSSL Vulnerabilities8.4.2.1

Functional Change Fixes

None


BIG-IQ Local Traffic & Management Fixes

ID Number Links to More Info Description Fixed Versions
2256705 Re-importing BIG-IP LTM device into BIG-IQ fails with "not authenticated" error when log-config filter/publisher objects are out of sync
2251889 "dependsOn" property shown as changed for DNS A and AAAA Pool Members during configuration evaluation
2219809 Unable to import Certificate with a custom silo
2198921 CSR Attributes of certificates created by custom‑role users are not visible to the same user

BIG-IQ Configuration - Infrastructure Fixes

ID Number Links to More Info Description Fixed Versions
2219357 BIG-IP ASM configurations cannot be imported into BIG-IQ if the geolocation includes Curaçao (CW), Sint Maarten (SX), or South Sudan (SS).

BIG-IQ Device Management Fixes

ID Number Links to More Info Description Fixed Versions
2251877 BT2251877 BIG-IQ API assigns incorrect Utility license offering when multiple SKUs share substring names
2230133 The QKView does not include elasticsearch.yml configuration file on BIG-IQ
2139221 Incorrect link reference to the internal F5 licensing service when activating BIG-IQ license

REST Framework and TMOS Platform Fixes

ID Number Links to More Info Description Fixed Versions
1923657-9 CVE-2022-41858 kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip
2263745-6 CVE-2026-1519 bind: BIND: Denial of Service via maliciously crafted DNSSEC-validated zone
2228901 BIG-IQ Upgrade to 8.4.1 Breaks Single-NIC Deployments, Resulting in UI Access Loss
2286445 CVE-2025-69873: Regular Expression Denial of Service (ReDoS) Vulnerability in ajv8.4.2.1
2286349 CVE-2026-4800: Vulnerability in lodash8.4.2.1
2286313 CVE-2025-13465: Vulnerability in lodash8.4.2.1
2286253 CVE-2025-13465: Security Vulnerability in lodash
2286177 CVE-2026-4800: Vulnerability in lodash-es
2198461-1 CVE-2025-64718: Security Vulnerability in js-yaml
2198385-1 CVE-2025-5889: Vulnerability in brace-expansion
2198233-1 CVE-2025-5889 - brace-expansion: juliangruber brace-expansion index.js expand redos
2197965-1 CVE-2025-64718 js-yaml vulnerability
2046917 Non-essential services (hwpd, ipsd, updated) show as "normally up" on BIG-IQ
1893369-10 CVE-2021-33033 kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c
2197085-1 CVE-2022-41862 postgresql: Client memory disclosure when connecting with Kerberos to modified server
2186153-5 CVE-2025-8194 cpython: Cpython infinite loop when parsing a tarfile
1429861-10 CVE-2019-5737: HTTP or HTTPS Denial of Service in keep-alive mode (NodeJS v6)
1052477-8 CVE-2020-10751 kernel: SELinux netlink permission check bypass


Cumulative fixes from BIG-IQ CM v8.4.1 that are included in this release


Fixes

ID Number Links to More Info Description Fixed Versions
933501-2 K68652018 iControl REST vulnerability CVE-2021-22974
915981-7 K38271531, BT915981 BIG-IP SCP hardening
887637-6 K22040951, BT887637 Systemd-journald Vulnerability: CVE-2019-3815
2140641-6 K000157334 CVE-2025-40778: Bind Vulnerability
2140621-5 K000157317, BT2140621 CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling
2137581-9 K000158978, BT2137581 TMM core may occur under certain conditions
1366025-15 K000137106, BT1366025 A particular HTTP/2 sequence may cause high CPU utilization.
1330801-7 K000137090, BT1330801 NodeJS Vulnerability CVE-2018-12123, CVE-2018-12121, CVE-2018-12122
1330721-7 K000137093, BT1330721 Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116
1167897-10 K44454157, BT1167897 [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c8.3.0
1061969-24 K000149329, BT1061969 Postgresql package upgrade to 15.0 version
1016657-6 K54082580, BT1016657 TMM may crash while processing LSN traffic
987813-7 K65234135, BT987813 CVE-2020-25643 kernel:improper input validation in the ppp_cp_parse_cr function
968737-3 K83102920, BT968737 CVE-2018-18397 : kernel: userfaultfd bypasses tmpfs file permissions
968725-7 K04337834, BT968725 Linux Kernel Vulnerability CVE-2017-10661
965545-13 K41142448, BT965545 CVE-2020-27617 : QEMU Vulnerability
945421-8 K92451315, BT945421 CVE-2020-1968: Raccoon vulnerability
940317-12 K23157312, BT940317 CVE-2020-13692: PostgreSQL JDBC Driver vulnerability8.4.0, 8.2.0
928901-7 K02453220 jQuery vulnerability CVE-2020-11022
838697 K05975972 CVE-2020-5923 - Self IP Port Lockdown Bypass Vulnerability
816413-3 K31085564, BT816413 CVE-2019-1125: Spectre SWAPGS Gadget
725045 K42027747 SNMP traps do not follow current best practices
617963 K15104541 CVE-2015-1283: Heap-buffer-overflow in expat.
2131233-3 K000158979, BT2131233 ADM not functioning properly
2130601-5 K000156761, BT2130601 TMUI Request Processing Improvement
2113093-2 K000149073 CVE-2021-3393: Partition constraint violation errors leak values of denied columns
2078425-2 K000158029 BIG-IQ Request Handling Improvements
2013225-2 K72382141 CVE-2021-34798: Apache HTTP Server NULL pointer dereference via malformed requests (availability/DoS)
1966849-7 K000152931, BT1966849 CVE-2023-5869 postgresql: Buffer overrun from integer overflow in array modification
1623197-4 K000140711, BT1623197 CVE-2024-37891 urllib3: proxy-authorization request header is not stripped during cross-origin redirects
1620285 K000140784 CVE-2024-38477 Apache HTTPD vulnerability
1586537-8 K000140188, BT1586537 CVE-2024-0985 postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL
1517561-4 K000139641, BT1517561 CVE-2023-28484 libxml2: NULL dereference in xmlSchemaFixupComplexType
1470177-5 K000138650, BT1470177 CVE-2023-46218 curl: information disclosure by exploiting a mixed case flaw
1450481-4 K32950402, BT1450481 TMSH hardening
1407837-1 K000138219, BT1407837 libssh2 vulnerability CVE-2020-22218
1327169-6 K000135921, BT1327169 CVE-2023-24329 python: urllib.parse url blocklisting bypass
1271341-8 K000160901, BT1271341 Unable to use DTLS without TMM crashing
1270257-7 K000133753, BT1270257 CVE-2023-0662 php: DoS vulnerability when parsing multipart request body
1266853-11 K000133052, BT1266853 CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts
1173825-5 K000157895, BT1173825 Improper sanitisation in Qkview data
1099365-6 K21548854 CVE-2018-25032 [NodeJS]zlib: A flaw found in zlib, when compressing (not decompressing!) certain inputs.
1093685-6 K52379673, BT1093685 CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it
1089233-6 K54724312 CVE-2022-0492 Linux kernel vulnerability
1088445-10 K67090077, BT1088445 CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body
1070905-1 K21054458, BT1070905 CVE-2017-7656 jetty: HTTP request smuggling using the range header
1058701 K77326807 CVE-2021-25219 : BIND exploitation of broken authoritative servers
1057393-4 K10812540, BT1057393 CVE-2019-18197 libxslt vulnerability: use after free in xsltCopyText
1004881-9 K12492858, BT1004881 Update angular, jquery, moment, axios, and lodash libraries in AGC
993681-7 K32380005, BT993681 CVE-2019-18282 Kernel: Device Tracking Vulnerability
989373-8 K67830124, BT989373 CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem
987749-10 K62532228, BT987749 CVE-2020-10769 kernel: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c
981885-5 K61186963 CVE-2020-8285 curl: malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used
975605-7 K00409335, BT975605 CVE-2018-1122 procps-ng, procps: Local privilege escalation in top
974093-6 K09604370 Linux kernel vulnerability CVE-2020-25705
973409-9 K42910051, BT973409 CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference
950605-1 K48050136, BT950605 Openssh insecure client negotiation CVE-2020-14145
949889-8 K04107324, BT949889 CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()
945109-13 K46641512, BT945109 Freetype Parser Skip Token Vulnerability CVE-2015-93828.2.0
945033-9 K57542514, BT945033 Python Vulnerability (CVE-2019-9636): Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization
939421-8 K38481791, BT939421 CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow
872109-15 K24551552, BT872109 CVE-2019-17563: Tomcat Vulnerability
845381-10 K04367730 CVE-2018-14468 - TCPDUMP Buffer Over-Read Vulnerability in FRF.16 Parser
834153-6 K80311892 CVE-2019-13232 unzip: overlapping of files in ZIP container
832757-7 K48073202, BT832757 Linux kernel vulnerability CVE-2017-18551
823877-15 K25126370, BT823877 CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability
819053-8 K80311892, BT819053 CVE-2019-13232 unzip: overlapping of files in ZIP container
805793 K51011533 CVE-2018-20843: libexpat XML parser denial-of-service via excessive colons in XML names (fixed in BIG-IQ 8.4.1)
798889-1 K11225249, BT798889 CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free
760895-1 K64119434, BT760895 CVE-2009-5155 glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result
757604-8 K12252011 Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111
740321-6 K50310001, BT740321 iControl SOAP API does not follow current best practices
713971-3 K08044291 CVE-2018-0739: OpenSSL Vulnerability
1983321-4 K000152614, BT1983321 CVE-2025-48976 apache-commons-fileupload: Apache Commons FileUpload DoS via part headers
1928541 K000150943 CVE-2019-10164 - PostgreSQL Stack-Based Buffer Overflow via Password Change
1921301 K000150746 PostgreSQL Memory Disclosure Vulnerabilities
1858553-2 K000151082 PostgreSQL vulnerability CVE-2021-32027
1692917-4 K000148252, BT1692917 CVE-2024-6232 CPython Tarfile vulnerability
1678793-8 K000141459, BT1678793 CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes
1678777-9 K000141459, BT1678777 CVE-2022-25869 angular.js : insecure page caching in the browser, which allows interpolation of <textarea> elements.
1678769-8 K000141463, BT1678769 CVE-2023-26116 angularjs: Regular Expression Denial of Service via angular.copy()
1673161-5 K000149884, BT1673161 CVE-2023-45853 zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6
1589661-4 K000149288, BT1589661 CVE-2019-3860 libssh2: Out-of-bounds reads with specially crafted SFTP packets
1589645-4 K000149288, BT1589645 CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read
1589489-1 K000148713 libssh Vulnerability CVE-2019-3858
1566997-1 K000148259, BT1566997 CVE-2016-10349 libarchive: Heap-based buffer over-read in the archive_le32dec function
1566533-6 K000139901, BT1566533 CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code
1561689-1 K000148259, BT1561689 CVE-2016-10350 libarchive: Heap-based buffer over-read in the archive_read_format_cab_read_header function
1474757-4 K000138827, BT1474757 CVE-2023-51385 openssh: potential command injection via shell metacharacters
1393733-6 K000139700, BT1393733 CVE-2022-43750 kernel: memory corruption in usbmon driver
1304081-1 K000135178, BT1304081 CVE-2023-2650 openssl: Possible DoS translating ASN.1 object identifiers
1089921-7 K08827426, BT1089921 Vim vulnerability CVE-2022-0359
1086325-9 K49419538, BT1086325 CVE-2016-4658 libxml2 vulnerability
1058197-7 K000157984, BT1058197 CVE-2019-14973: LibTIFF Vulnerability
1057141-1 K000151007, BT1057141 CVE-2018-14647 python: Missing salt initialization in _elementtree.c module
1055925-3 K34511555, BT1055925 TMM may crash while processing traffic on AWS
1043977-7 K53225395, BT1043977 CVE-2021-3672 CVE-2021-22931 NodeJS Vulnerabilities in iAppLX
1035781-2 K75133288, BT1035781 CVE-2021-33909: Linux Kernel Vulnerability
1021245-4 K78284681, BT1021245 CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive
1017965-7 K11426315, BT1017965 BIND Vulnerability CVE-2021-25214
1001369-5 K16729408, BT1001369 D-Bus vulnerability CVE-2020-12049
1041141-1 K98121587, BT1041141 CVE-2021-35942 glibc: Arbitrary read in wordexp()

Functional Change Fixes

None


BIG-IQ System User Interface Fixes

ID Number Links to More Info Description Fixed Versions
1038149 WS-2019-00638.3.0

BIG-IQ Local Traffic & Management Fixes

ID Number Links to More Info Description Fixed Versions
1988937-2 Inability to overwrite an existing cert bundle due to excessive calls to certificate-management
1935917 BT1935917 Users with custom permissions but lacking admin privileges are unable to view certificates and keys via the web UI or the iControl REST API.
1921553-2 Re-import LTM service with log filter fail with error "Failed copying from source to target: java.lang.RuntimeException: not authenticated"

REST Framework and TMOS Platform Fixes

ID Number Links to More Info Description Fixed Versions
1925461-11 CVE-2016-2053 Linux Kernel Vulnerability
2140909 BT2140909 BIG-IQ: Enable F5 Trusted CA store avoid CA pinning8.3.0
2162989 BIG-IQ CM is unable to request full cert bundle from Venafi
2149233-6 K000158082, BT2149233 TMM crashes when using SSL
2141245-4 Undisclosed traffic to TMM can lead to resource exhaustion
2014237-2 CVE-2022-29154: rsync client path validation issue may allow overwrite of arbitrary files in target directory
1923997-9 CVE-2023-1668-openvswitch: ip proto 0 triggers incorrect handling
1923817-8 CVE-2017-11499: Constant Hashtable Seeds vulnerability (NodeJS v6.9.1)
1093933-6 CVE-2020-7774 nodejs-y18n prototype pollution vulnerability
1753617-8 CVE-2023-24621 Untrusted Polymorphic Deserialization to Java Classes
1144421-1 CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation
1069949-5 CVE-2018-1000007 curl: HTTP authentication leak in redirects
1061485-7 CVE-2019-19527: Linux kernel vulnerability
1059229-1 CVE-2019-16994 kernel: Memory leak in sit_init_net() in net/ipv6/sit.c
1052437-1 CVE-2019-19532 kernel: malicious USB devices can lead to multiple out-of-bounds write
1052433-1 CVE-2019-19530: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver
1052333-12 CVE-2018-16885: Linux kernel vulnerability
1052253-12 CVE-2018-13095 kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c
1052249-11 CVE-2018-13094 kernel: NULL pointer dereference in xfs_da_shrink_inode function
1052245-6 CVE-2018-13093 kernel: NULL pointer dereference in lookup_slow function
1052217-11 CVE-2018-19985 kernel: oob memory read in hso_probe in drivers/net/usb/hso.c
1051869-6 CVE-2018-20169: Linux kernel vulnerability
1051769-5 CVE-2019-10140 kernel: overlayfs: NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c
1051697-8 CVE-2019-11833 kernel: fs/ext4/extents.c leads to information disclosure

Cumulative fix details for BIG-IQ CM v8.4.2.1 that are included in this release

993681-7 : CVE-2019-18282 Kernel: Device Tracking Vulnerability

Links to More Info: K32380005, BT993681


989373-8 : CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem

Links to More Info: K67830124, BT989373


987813-7 : CVE-2020-25643 kernel:improper input validation in the ppp_cp_parse_cr function

Links to More Info: K65234135, BT987813


987749-10 : CVE-2020-10769 kernel: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c

Links to More Info: K62532228, BT987749


981885-5 : CVE-2020-8285 curl: malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used

Links to More Info: K61186963


975605-7 : CVE-2018-1122 procps-ng, procps: Local privilege escalation in top

Links to More Info: K00409335, BT975605


974093-6 : Linux kernel vulnerability CVE-2020-25705

Links to More Info: K09604370


973409-9 : CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference

Links to More Info: K42910051, BT973409


968737-3 : CVE-2018-18397 : kernel: userfaultfd bypasses tmpfs file permissions

Links to More Info: K83102920, BT968737


968725-7 : Linux Kernel Vulnerability CVE-2017-10661

Links to More Info: K04337834, BT968725


965545-13 : CVE-2020-27617 : QEMU Vulnerability

Links to More Info: K41142448, BT965545


950605-1 : Openssh insecure client negotiation CVE-2020-14145

Links to More Info: K48050136, BT950605


949889-8 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()

Links to More Info: K04107324, BT949889


945421-8 : CVE-2020-1968: Raccoon vulnerability

Links to More Info: K92451315, BT945421


945109-13 : Freetype Parser Skip Token Vulnerability CVE-2015-9382

Links to More Info: K46641512, BT945109


945033-9 : Python Vulnerability (CVE-2019-9636): Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization

Links to More Info: K57542514, BT945033


940317-12 : CVE-2020-13692: PostgreSQL JDBC Driver vulnerability

Links to More Info: K23157312, BT940317


939421-8 : CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow

Links to More Info: K38481791, BT939421


933501-2 : iControl REST vulnerability CVE-2021-22974

Links to More Info: K68652018


929709-15 : jQuery vulnerability CVE-2020-11023

Links to More Info: K66544153, BT929709


928901-7 : jQuery vulnerability CVE-2020-11022

Links to More Info: K02453220


915981-7 : BIG-IP SCP hardening

Links to More Info: K38271531, BT915981


887637-6 : Systemd-journald Vulnerability: CVE-2019-3815

Links to More Info: K22040951, BT887637


872109-15 : CVE-2019-17563: Tomcat Vulnerability

Links to More Info: K24551552, BT872109


845381-10 : CVE-2018-14468 - TCPDUMP Buffer Over-Read Vulnerability in FRF.16 Parser

Links to More Info: K04367730


838697 : CVE-2020-5923 - Self IP Port Lockdown Bypass Vulnerability

Links to More Info: K05975972


834153-6 : CVE-2019-13232 unzip: overlapping of files in ZIP container

Links to More Info: K80311892


832757-7 : Linux kernel vulnerability CVE-2017-18551

Links to More Info: K48073202, BT832757


823877-15 : CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability

Links to More Info: K25126370, BT823877


819053-8 : CVE-2019-13232 unzip: overlapping of files in ZIP container

Links to More Info: K80311892, BT819053


816413-3 : CVE-2019-1125: Spectre SWAPGS Gadget

Links to More Info: K31085564, BT816413


805793 : CVE-2018-20843: libexpat XML parser denial-of-service via excessive colons in XML names (fixed in BIG-IQ 8.4.1)

Links to More Info: K51011533


798889-1 : CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free

Links to More Info: K11225249, BT798889


760895-1 : CVE-2009-5155 glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result

Links to More Info: K64119434, BT760895


757604-8 : Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111

Links to More Info: K12252011


740321-6 : iControl SOAP API does not follow current best practices

Links to More Info: K50310001, BT740321


725912 : CVE-2018-3665: Intel Lazy FPU Vulnerability

Links to More Info: K21344224


725045 : SNMP traps do not follow current best practices

Links to More Info: K42027747


713971-3 : CVE-2018-0739: OpenSSL Vulnerability

Links to More Info: K08044291


617963 : CVE-2015-1283: Heap-buffer-overflow in expat.

Links to More Info: K15104541


2304693-12 : Improvements in HTTP/2 on TMM

Links to More Info: K000162231


2286445 : CVE-2025-69873: Regular Expression Denial of Service (ReDoS) Vulnerability in ajv

Component: REST Framework and TMOS Platform

Symptoms:
ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.

Conditions:
This issue arises when the $data feature is enabled in ajv and unvalidated input is passed to runtime schemas containing the pattern keyword.

Impact:
This could render the application unavailable, causing significant operational disruptions. While confidentiality or integrity remain unaffected, availability is severely impacted.

Workaround:
NA

Fix:
This issue has been fixed in BIG-IQ 8.4.2

Fixed Versions:
8.4.2.1


2286349 : CVE-2026-4800: Vulnerability in lodash

Component: REST Framework and TMOS Platform

Symptoms:
A vulnerability was identified in the lodash-es package from v4.0.0 to v4.18.0(excluding), potentially allowing attackers to manipulate property access or prototype pollution. Exploiting this can enable attackers to execute arbitrary code or modify application behavior.

Conditions:
NA

Impact:
Can lead to unauthorized modification of application behavior, exposing sensitive information, causing data corruption, or enabling arbitrary code execution.

Workaround:
This issue has been fixed in BIG-IQ 8.4.2

Fix:
This issue has been fixed in BIG-IQ 8.4.2

Fixed Versions:
8.4.2.1


2286313 : CVE-2025-13465: Vulnerability in lodash

Component: REST Framework and TMOS Platform

Symptoms:
A vulnerability exists in Lodash versions 4.0.0 through 4.17.22 impacting the _.unset and _.omit functions. This issue allows attackers to delete methods from global prototypes by passing crafted paths, potentially impacting runtime behavior of applications. While this issue permits deletion, it does not allow overwriting property behavior

Conditions:
NA

Impact:
leading to application instability or service disruption. Confidentiality is not directly impacted, but availability and integrity are at significant risk.

Workaround:
This issue has been fixed in BIG-IQ 8.4.2

Fix:
This issue has been fixed in BIG-IQ 8.4.2

Fixed Versions:
8.4.2.1


2286253 : CVE-2025-13465: Security Vulnerability in lodash

Component: REST Framework and TMOS Platform

Symptoms:
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior

Conditions:
NA

Impact:
Application instability or service disruption. Confidentiality is not directly impacted, but availability and integrity are at significant risk.

Workaround:
This issue has been fixed in BIG-IQ 8.4.2

Fix:
This issue has been fixed in BIG-IQ 8.4.2


2286177 : CVE-2026-4800: Vulnerability in lodash-es

Component: REST Framework and TMOS Platform

Symptoms:
A vulnerability was identified in the lodash-es package from v4.0.0 to v4.18.0(excluding), potentially allows to manipulate property access or prototype pollution.

Conditions:
The issue arises when the vulnerable version of the lodash-es library is used to process untrusted user-generated inputs.

Impact:
Can lead to unauthorized modification of application behavior, exposing sensitive information, causing data corruption, or enabling arbitrary code execution.

Workaround:
This issue has been fixed in BIG-IQ 8.4.2

Fix:
This issue has been fixed in BIG-IQ 8.4.2


2264133-4 : TMSH improvements

Links to More Info: K000160975, BT2264133


2263745-6 : CVE-2026-1519 bind: BIND: Denial of Service via maliciously crafted DNSSEC-validated zone

Component: REST Framework and TMOS Platform

Symptoms:
A vulnerability in BIND could allow a remote attacker to send a malicious DNSSEC zone, causing high CPU usage and resulting in a denial of service (DoS).

Conditions:
The vulnerability can be exploited when a BIND resolver processes a maliciously crafted DNSSEC-validated zone.

Impact:
An attacker could cause excessive CPU consumption on the BIND resolver, leading to a denial of service (DoS) and disruption of legitimate DNS requests.

Workaround:
Upgrade BIND to the fixed version

Fix:
BIND upgraded to fixed version


2257421-5 : TMSH enhancements

Links to More Info: K000161107, BT2257421


2256705 : Re-importing BIG-IP LTM device into BIG-IQ fails with "not authenticated" error when log-config filter/publisher objects are out of sync

Component: BIG-IQ Local Traffic & Management

Symptoms:
When attempting to re-import a BIG-IP LTM device into BIG-IQ, the operation fails during the COPY_CONFIG step with the following error:

Failed to copy configuration to working-config; reason: Failed copying from source to target: java.lang.RuntimeException: not authenticated

The failure occurs during bulk update operations involving log-config filter and publisher objects.

Conditions:
-- Log-config publisher objects exist on both BIG-IPs

-- Log-config filter object exists only on one BIG-IP

-- After modifying the log-config filter on the BIG-IP with the filter, and re-importing into BIG-IQ, a sync gap is created

-- Re-import triggers a bulk update, targeting the device missing the filter

Impact:
Users are unable to re-import BIG-IP LTM devices into BIG-IQ when log-config filter/publisher objects are out of sync. This blocks configuration management and synchronization between BIG-IQ and BIG-IP devices.

Workaround:
None.

Fix:
Re-importing BIG-IP LTM devices now succeeds even when log-config filter/publisher objects are out of sync. The "not authenticated" error no longer occurs.


2252481-4 : Undisclosed network traffic can cause a TMM crash

Links to More Info: K000161023, BT2252481


2251889 : "dependsOn" property shown as changed for DNS A and AAAA Pool Members during configuration evaluation

Component: BIG-IQ Local Traffic & Management

Symptoms:
During a configuration evaluation in BIG-IQ for DNS pool members (A and AAAA types), the system consistently reports a difference: the DNS device configuration includes 'dependsOn': [], whereas the BIG-IQ configuration omits the 'dependsOn' property. This leads to persistent false-positive configuration differences during evaluation and deployment.

Conditions:
-- DNS pool member (A or AAAA type) is imported from a DNS device into BIG-IQ
-- Pool member is modified or created in BIG-IQ and pushed to the DNS device
-- The process is performed using Configuration -> Evaluate & Deploy -> DNS in BIG-IQ

Impact:
The evaluation page consistently displays differences for pool members, causing confusion and making it difficult for users to identify actual configuration changes. This affects the reliability of BIG-IQ for managing DNS devices.

Workaround:
None.

Fix:
The transform logic for DNS pool member objects in BIG-IQ has been updated to create the 'dependsOn' property only when dependencies exist. Configuration evaluation now accurately reflects the state of pool members, eliminating false-positive differences.


2251877 : BIG-IQ API assigns incorrect Utility license offering when multiple SKUs share substring names

Links to More Info: BT2251877

Component: BIG-IQ Device Management

Symptoms:
When assigning a Utility license offering via the BIG-IQ API, if multiple offerings have similar SKU names (e.g., one SKU is a substring of another), the API may assign the incorrect license. The system selects the first matching offering from the database, which may not be the intended SKU.

Conditions:
- License pool contains multiple offerings with similar SKU names (e.g., F5-BIG-MSP-A-LTM-12 and F5-BIG-MSP-A-LTM-12-R).
- License assignment is performed using the BIG-IQ API.
- The SKU keyword used in the API request matches more than one offering.

Impact:
The API may assign the wrong license offering, resulting in incorrect licensing of BIG-IP devices. This can affect automation and management workflows, especially for devices that are unreachable or managed only via API.

Workaround:
None

Fix:
The license assignment behavior has been updated to sort offerings by the "name" field in ascending order. This ensures that the shortest, most exact match is chosen when multiple SKUs share a substring name.


2230133 : The QKView does not include elasticsearch.yml configuration file on BIG-IQ

Component: BIG-IQ Device Management

Symptoms:
When generating a QKView on BIG-IQ, the resulting archive does not include the /var/config/rest/elasticsearch/config/elasticsearch.yml file, which is crucial for troubleshooting Elasticsearch-related issues.

Conditions:
-- QKView is generated on a BIG-IQ system running version 8.4.1.
-- The user extracts and examines the QKView archive.
-- The file /var/config/rest/elasticsearch/config/elasticsearch.yml is missing from the archive.

Impact:
Support and users are unable to review Elasticsearch configuration details from QKView, which can hinder troubleshooting and root cause analysis of Elasticsearch problems.

Workaround:
Manually collect the /var/config/rest/elasticsearch/config/elasticsearch.yml file from the BIG-IQ system and provide it to support as needed.

Fix:
QKView will include the /var/config/rest/elasticsearch/config/elasticsearch.yml file in the archive, allowing for complete Elasticsearch configuration review during troubleshooting.


2229021-5 : iControl REST issue

Links to More Info: K000160876, BT2229021


2228901 : BIG-IQ Upgrade to 8.4.1 Breaks Single-NIC Deployments, Resulting in UI Access Loss

Component: REST Framework and TMOS Platform

Symptoms:
After upgrading BIG-IQ CM or DCD with a single network interface from version 8.4.0 to 8.4.1, the management user interface becomes inaccessible on the default port 443. During the post-upgrade reboot, the system automatically reconfigures itself into single-NIC mode, changing the HTTPS port to 8443 and creating a self IP configuration called self_1nic.

Conditions:
This issue occurs when ALL of the following conditions are met:
-- BIG-IQ system (CM or DCD) has only one network interface (single-NIC configuration)
-- Upgrading from BIG-IQ version 8.4.0 to version 8.4.1
-- The system database variable provision.1nic is set to a non-forced value ("enable" or "disable") before upgrade

Impact:
-- Management UI becomes inaccessible at the expected port 443 (port changes to 8443)
-- Production systems require manual intervention to restore functionality

Workaround:
Force-disable single-NIC auto-detection before initiating the upgrade:

tmsh modify sys db provision.1nic value forced_disable

Fix:
The upgrade process now preserves the provision.1nic setting, preventing incorrect reconfiguration of single-NIC systems. Web UI and device discovery/import function as expected after upgrade.


2228837-9 : System Integrity Status: Unavailable on BIG-IP versions with the fix for ID2141205

Links to More Info: BT2228837

Component: REST Framework and TMOS Platform

Symptoms:
The 'tmsh run sys integrity status-check' or 'tpm-status' commands incorrectly report system integrity status as 'Unavailable' although the system software has not been modified.

Detailed output of the "tpm-status -v 3" command includes the following messages:

Cert policy: 1.3.6.1.4.1.3375.0.1.1.1
Required policy:1.3.6.1.4.1.3375.0.1.1.1
Key certificate OID: 1.3.6.1.4.1.3375.0.1.1.1
Popping a key cert into keys
Key cert verification: 0
Invalid key cert detected, removing from verification chain
Verifying SIRR database contents...

System Integrity Status: Unavailable



In addition:

Some Engineering Hotfixes containing a fix for ID2141205 do not successfully resolve the symptoms of ID2141205.

Conditions:
This may occur on affected versions on or after April 4, 2026, when running on the following F5 hardware platforms which include TPM (Trusted Platform Module) hardware:
-- iSeries appliances
-- VIPRION B44xx blades (B4450, B4460)

This may occur when running the follow BIG-IP versions which include the fix for ID 2141205 (https://cdn.f5.com/product/bugtracker/ID2141205.html):
-- Pre-release versions of BIG-IP; specifically, sustaining branches for BIG-IP v21.0.x, v17.5.x and v17.1.x.
-- Engineering Hotfixes which include the fix for ID 2141205. To date, such Engineering Hotfixes have been provided for the following BIG-IP versions:
   -- v17.5.1.3, v17.5.1.4
   -- v17.1.0.1, v17.1.2.2, v17.1.3

Impact:
You are unable to determine the integrity of the system boot components validated by the Trusted Platform Module (TPM). The system integrity status shows Unavailable, when the actual status may be either Valid or Invalid.

Workaround:
None.

Fix:
Trusted Platform Module (TPM) status shows the correct system integrity status for BIG-IP versions which include the fix for ID2141205. ID2141205 is also resolved in BIG-IP releases and Engineering Hotfixes.

Fixed Versions:
8.4.2.1


2227441-5 : Apply limitations on certain object creation

Links to More Info: K000160916, BT2227441


2225201-6 : iControl REST hardening

Links to More Info: K000160911, BT2225201


2221689-9 : TMSH hardening

Links to More Info: K000161022, BT2221689


2221517-5 : BIG-IP SCP hardening

Links to More Info: K000160971


2221493-6 : SCP Improvement

Links to More Info: K000160971, BT2221493


2221445-5 : Improving scripts of Failover

Links to More Info: K000160972, BT2221445


2221413-5 : SCP Improvement

Links to More Info: K000160971, BT2221413


2221169-5 : iControl REST Hardening

Links to More Info: K000160903, BT2221169


2221161-9 : TMSH hardening

Links to More Info: K000161018, BT2221161


2220369-5 : BIG-IP GUI/API Improvements

Links to More Info: K000160874, BT2220369


2219809 : Unable to import Certificate with a custom silo

Component: BIG-IQ Local Traffic & Management

Symptoms:
An error, 'Failed to update cert bundle subcollection,' is displayed when attempting to import a certificate using a custom silo.

Conditions:
Importing a certificate into BIG-IQ with a custom silo (not the default or no-silo) selected during the import process.

Impact:
The certificate cannot be imported under a custom silo.

Workaround:
None.

Fix:
The certificate can be imported successfully under a custom silo.


2219357 : BIG-IP ASM configurations cannot be imported into BIG-IQ if the geolocation includes Curaçao (CW), Sint Maarten (SX), or South Sudan (SS).

Component: BIG-IQ Configuration - Infrastructure

Symptoms:
When attempting to import a BIG-IP device into BIG-IQ, the operation fails with an error such as:

Failed to copy configuration to working-config; reason: Failed copying from source to target: java.lang.IllegalArgumentException: Invalid country code or country : Curacao

The process may also fail if the configuration includes Curacao (CW), Sint Maarten (SX)

Conditions:
The BIG-IP configuration references the geolocation country codes "CW" (Curaçao), "SX" (Sint Maarten), or "SS" (South Sudan).
Attempting to import this configuration into BIG-IQ.
The geolocations.json file on BIG-IQ does not include these country codes.

Impact:
The BIG-IP device cannot be imported into BIG-IQ if the Address List contains the country codes 'SS,' 'CW,' or 'SX.'

Workaround:
Manually add the following entry for "SS" (South Sudan) to the file /var/config/rest/security/geolocations.json on the BIG-IQ system, then restart the restjavad service:

"SS" :
{
  "code" : "SS",
  "name" : "South Sudan",
  "regions" : [
      "Central Equatoria",
      "Eastern Equatoria",
      "Jonglei",
      "Lakes",
      "Northern Bahr el-Ghazal",
      "Unity",
      "Upper Nile",
      "Warrap",
      "Western Bahr el-Ghazal",
      "Western Equatoria"]
},
"CW" :
{
  "code" : "CW",
  "name" : "Curacao",
  "regions" : []
},
"SX" :
{
  "code" : "SX",
  "name" : "Sint Maarten",
  "regions" : []
}


After updating the file, run:
bigstart restart restjavad

Fix:
BIG-IQ now includes the country codes 'CW' (Curaçao), 'SX' (Sint Maarten), and 'SS' (South Sudan) in the geolocations.json file, enabling the successful import of BIG-IP configurations that reference these geolocations.


2219173-5 : TMSH improvements

Links to More Info: K000160975, BT2219173


2219053-4 : CVE-2025-13878: Malformed BRID/HHIT records can cause named to terminate unexpectedly

Component: REST Framework and TMOS Platform

Symptoms:
Malformed BRID/HHIT records can cause `named` to terminate unexpectedly. This issue affects BIND 9 versions 9.18.40 through 9.18.43, 9.20.13 through 9.20.17, 9.21.12 through 9.21.16, 9.18.40-S1 through 9.18.43-S1, and 9.20.13-S1 through 9.20.17-S1.

Conditions:
Triggered by specially crafted or malicious DNS queries.

Impact:
Potential denial of service (DoS) for DNS services.

Workaround:
None

Fix:
Upgraded BIND to a patched version that resolves CVE-2025-13878.

Fixed Versions:
8.4.2.1


2218309-8 : CVE-2025-22026 kernel: nfsd: don't ignore the return code of svc_proc_register()

Links to More Info: K000160079


2217485-6 : TMSH Improvements

Links to More Info: K000161107, BT2217485


2216645-4 : UCS Backup Improvements

Links to More Info: K000160857, BT2216645


2208913-5 : iControl SOAP hardening

Links to More Info: K000160973, BT2208913


2202097-6 : Apply limitations on certain object creation

Links to More Info: K000160916, BT2202097


2201965-5 : TMSH improvement

Links to More Info: K000160863, BT2201965


2201789-6 : TMSH improvements

Links to More Info: K000160975, BT2201789


2201769-6 : TMSH improvements

Links to More Info: K000160975, BT2201769


2201745-6 : TMSH improvements

Links to More Info: K000160975, BT2201745


2201725-6 : TMSH improvements

Links to More Info: K000160975, BT2201725


2201697-6 : TMSH improvements

Links to More Info: K000160975, BT2201697


2201377-5 : iControl REST improvements

Links to More Info: K000160979, BT2201377


2200437-5 : SNMP Improvement

Links to More Info: K000160981, BT2200437


2200421-6 : SNMP Improvement

Links to More Info: K000160981, BT2200421


2198921 : CSR Attributes of certificates created by custom‑role users are not visible to the same user

Component: BIG-IQ Local Traffic & Management

Symptoms:
When a custom-role user creates a certificate, the CSR attributes are not visible unless an admin manually assigns the certificate to the appropriate Resource Group.

Conditions:
This issue occurs when a custom-role user with a custom service role (assigned a Role Type and Resource Group) creates a certificate using a Venafi CA provider. The CSR attributes are not visible to the user who created the certificate.

Impact:
Users with custom service roles are unable to view the CSR attributes for certificates they create, even though they have full permissions on certificate-related objects.

Workaround:
The CSR attributes become visible to the creator once an admin manually adds the certificate to the Resource Group.

Fix:
CSR attributes for a certificate are now visible to the creator, resolved in BIG-IQ 8.4.2.


2198461-1 : CVE-2025-64718: Security Vulnerability in js-yaml

Component: REST Framework and TMOS Platform

Symptoms:
The vulnerability in the js-yaml before 4.1.1 and 3.14.2 library could allow attackers to inject malicious YAML content via crafted input, leading to potential code execution or denial of service (DoS)

Conditions:
NA

Impact:
Disrupt service availability (DoS), or gain unauthorized access.

Workaround:
NA

Fix:
It is fixed in BIG-IQ 8.4.2


2198385-1 : CVE-2025-5889: Vulnerability in brace-expansion

Component: REST Framework and TMOS Platform

Symptoms:
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.

Conditions:
NA

Impact:
Could lead to arbitrary code execution, compromising the confidentiality, integrity, and availability of the system

Workaround:
NA

Fix:
It is fixed in BIG-IQ 8.4.2


2198369-1 : CVE-2022-31129 - Multiple Libraries - bigiq-analytics-ui

Links to More Info: K000157365


2198233-1 : CVE-2025-5889 - brace-expansion: juliangruber brace-expansion index.js expand redos

Component: REST Framework and TMOS Platform

Symptoms:
The vulnerability in the expand function of the brace-expansion library versions up to 1.1.11, 2.0.1, 3.0.0, and 4.0.0 involves inefficient regular expression complexity. Processing specially crafted inputs can lead to resource exhaustion, potentially resulting in Denial-of-Service (DoS).

Conditions:
NA

Impact:
May result in Denial-of-Service (DoS) caused by resource exhaustion during regex processing in the affected brace-expansion library.

Workaround:
This issue is fixed by upgrading the brace-expansion from version 1.1.11 to 1.1.12 in BIG-IQ 8.4.2.

Fix:
This issue has been fixed in BIG-IQ 8.4.2.


2198065-1 : CVE-2021-41184 - jquery-ui-1.12.1.tgz - bigiq-mgmt-ui

Links to More Info: K50455702


2198053-1 : CVE-2022-31129 - moment-2.29.1.tgz - bigiq-mgmt-ui

Links to More Info: K000157365


2198049-1 : CVE-2022-31160 - jquery-ui-1.12.1.tgz - bigiq-mgmt-ui

Links to More Info: K000134507


2197965-1 : CVE-2025-64718 js-yaml vulnerability

Component: REST Framework and TMOS Platform

Symptoms:
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

Conditions:
NA

Impact:
Impacts data integrity.

Workaround:
NA

Fix:
This issue has been fixed in BIG-IQ 8.4.2.


2197377-4 : TMM crashes under specific traffic.

Links to More Info: K000160945, BT2197377


2197085-1 : CVE-2022-41862 postgresql: Client memory disclosure when connecting with Kerberos to modified server

Component: REST Framework and TMOS Platform

Symptoms:
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.

Conditions:
This issue occurs when the PostgreSQL libpq client library is used, Kerberos transport encryption is enabled, and the client connects to a modified server.

Impact:
Disclosure of sensitive client memory in error messages and potential exploitation of uninitialized data by malicious servers.

Workaround:
NA

Fix:
The issue is resolved by upgrading PostgreSQL to version 15.17 in BIG-IQ 8.4.2.


2196137-2 : Issue observed only in BIG-IP 17.5.1.4: traffic processed by AFM or DDoS Hybrid Defender may cause TMM to restart

Links to More Info: K000160003, BT2196137


2186153-5 : CVE-2025-8194 cpython: Cpython infinite loop when parsing a tarfile

Component: REST Framework and TMOS Platform

Symptoms:
A flaw was found in the Python tarfile module. Processing a specially crafted tar archive, specifically an archive with negative offsets, can cause an infinite loop and deadlock. This issue results in a denial of service in the Python application using the tarfile module.

Conditions:
The application uses the Python tarfile module to process an attacker-supplied malicious tar archive containing negative offsets.

Impact:
It can cause an infinite loop leading to application hang or denial of service.

Workaround:
Update to a patched Python version and avoid processing untrusted tar archives, or validate archives before extraction

Fix:
Upgrade to a Python version that includes the tarfile module fix for this issue.


2162989 : BIG-IQ CM is unable to request full cert bundle from Venafi

Component: REST Framework and TMOS Platform

Symptoms:
Currently, when BIG-IQ sends the certificate retrieval request to Venafi, it does not send 'includeChain=true'. Thus, BIG-IQ does not get the full chain bundle of certs(leaf, intermediate, root). BIG-IQ gets only the leaf cert, and the leaf cert is imported into BIG-IQ.

Conditions:
This occurs when BIG-IQ creates the Venafi-signed certificate and retrieves the certificate from Venafi.

Impact:
BIG-IQ has the leaf certificate only instead of the full bundle(leaf, intermediate, root), and the same is deployed to BIG-IP ssl profiles. When the completed bundle is not available, ssl hand sake fails.

Fix:
Now BIG-IQ is able to retrieve the full bundle(leaf, intermediate, root) from Venafi and is able to deploy on BIG-IP.


2149233-6 : TMM crashes when using SSL

Links to More Info: K000158082, BT2149233

Component: REST Framework and TMOS Platform

Symptoms:
Under certain SSL condition, TMM crashes.

Conditions:
When SSL is configured

Impact:
Traffic is disrupted.

Fix:
TMM working properly now.


2141245-4 : Undisclosed traffic to TMM can lead to resource exhaustion

Component: REST Framework and TMOS Platform

Symptoms:
Certain traffic sent to TMM is leading to resource exhaustion.

Conditions:
Undisclosed conditions

Impact:
TMM Resource exhaustion

Fix:
DNS LDNS API correction.


2141021-4 : CVE-2025-6069 - html.parser (cpython)

Component: REST Framework and TMOS Platform

Symptoms:
The html.parser.HTMLParser class had worse-case quadratic complexity when processing certain crafted malformed inputs potentially leading to amplified denial-of-service.

Conditions:
NA

Impact:
Exploitation of the vulnerability can result in a denial-of-service (DoS) condition due to high CPU utilization while parsing maliciously crafted HTML inputs. Applications relying on the vulnerable html.parser.HTMLParser class may become unresponsive or experience downtime when exposed to such inputs.

Workaround:
NA

Fix:
Added a patch to fix the CVE

Fixed Versions:
8.4.2.1


2140909 : BIG-IQ: Enable F5 Trusted CA store avoid CA pinning

Links to More Info: BT2140909

Component: REST Framework and TMOS Platform

Symptoms:
F5 products can only successfully connect to web services with Entrust SSL certificates, and Entrust has ceased CA operations.

Conditions:
The file /config/ssl/ssl.crt/f5-ca-bundle.crt contains only a single Entrust Root CA certificate.

Impact:
F5 devices are not able to download the blended CA bundle.

Workaround:
Manually upgrade f5-ca-bundle.crt, follow this KB article for detailed steps https://my.f5.com/manage/s/article/K000157916

Fix:
Updated the f5-ca-bundle.crt in BIG-IQ v8.4.1

Fixed Versions:
8.3.0


2140641-6 : CVE-2025-40778: Bind Vulnerability

Links to More Info: K000157334


2140621-5 : CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling

Links to More Info: K000157317, BT2140621


2139221 : Incorrect link reference to the internal F5 licensing service when activating BIG-IQ license

Component: BIG-IQ Device Management

Symptoms:
When attempting to activate a BIG-IQ license, the system provides a link to the internal F5 licensing service, which is not externally accessible. This prevents users from completing the license activation process using the provided link.

Conditions:
BIG-IQ is unlicensed.
Attempting to activate a license.
The licensing workflow references the internal F5 licensing service.

Impact:
Users are unable to complete license activation through the web UI because of the inaccessible internal licensing service link.

Workaround:
When activating a BIG-IQ license and encountering an incorrect link to the internal F5 licensing service, users can bypass the issue by manually entering or editing the Registration Key (RBK) or Base Registration Key (BRK) in the license activation workflow.

Fix:
The license activation workflow now references the correct licensing service, enabling users to complete license activation as expected.


2137581-9 : TMM core may occur under certain conditions

Links to More Info: K000158978, BT2137581


2131233-3 : ADM not functioning properly

Links to More Info: K000158979, BT2131233


2130601-5 : TMUI Request Processing Improvement

Links to More Info: K000156761, BT2130601


2113093-2 : CVE-2021-3393: Partition constraint violation errors leak values of denied columns

Links to More Info: K000149073


2078425-2 : BIG-IQ Request Handling Improvements

Links to More Info: K000158029


2053165-1 : CVE-2025-47268 iputils: Signed Integer Overflow in Timestamp Multiplication in iputils ping

Links to More Info: K000158112, BT2053165


2046917 : Non-essential services (hwpd, ipsd, updated) show as "normally up" on BIG-IQ

Component: REST Framework and TMOS Platform

Symptoms:
On BIG-IQ systems, the services hwpd, ipsd, and updated appear as 'down, normally up' in the service status output, even though they are not necessary for BIG-IQ operation.

Conditions:
Running BIG-IQ (e.g., version 8.4.0).
Viewing service status via CLI (e.g., bigstart status | grep -i "ipsd\|updated\|hwpd").
The hwpd, ipsd, and updated services are not provisioned or utilized by BIG-IQ.

Impact:
This may cause confusion for administrators, as these services are reported as 'down, normally up,' suggesting a problem, even though they are not required for BIG-IQ and their status does not impact system operation.

Workaround:
NA

Fix:
The status output for hwpd, ipsd, and updated will be modified to display 'Not provisioned' on BIG-IQ systems where these services are not needed.


2014237-2 : CVE-2022-29154: rsync client path validation issue may allow overwrite of arbitrary files in target directory

Component: REST Framework and TMOS Platform

Symptoms:
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).

Conditions:
NA

Impact:
Potential overwrite of arbitrary files within the rsync target directory tree, which may lead to further exploitation.

Workaround:
NA

Fix:
This issue is addressed by the rsync update/patch included with the associated TMOS fix (see internal BIG-IP bug 1937381 and patch attachment 253673).


2013225-2 : CVE-2021-34798: Apache HTTP Server NULL pointer dereference via malformed requests (availability/DoS)

Links to More Info: K72382141


1988937-2 : Inability to overwrite an existing cert bundle due to excessive calls to certificate-management

Component: BIG-IQ Local Traffic & Management

Symptoms:
Unable to Overwrite Certificate Bundle.

Conditions:
Importing a Certificate by "Overwriting Existing" option.

Impact:
Fails to update or overwrite the Certificate Bundle.

Workaround:
None.

Fix:
Certificate bundle is now overwritten as expected.


1983321-4 : CVE-2025-48976 apache-commons-fileupload: Apache Commons FileUpload DoS via part headers

Links to More Info: K000152614, BT1983321


1971593-6 : CVE-2023-2455 & CVE-2024-7348 PostgreSQL Vulnerabilities

Links to More Info: K000152931


1967025-5 : Improved Permission Handling in REST SNMP Endpoint and TMSH

Links to More Info: K000156581, BT1967025


1966849-7 : CVE-2023-5869 postgresql: Buffer overrun from integer overflow in array modification

Links to More Info: K000152931, BT1966849


1966841-7 : CVE-2023-39417 postgresql: extension script @substitutions@ within quoting allow SQL injection

Links to More Info: K000152931, BT1966841


1966793-8 : CVE-2023-2455 postgresql: row security policies disregard user ID changes after inlining.

Links to More Info: K000152931


1966785-7 : CVE-2023-2454 postgresql: schema_element defeats protective search_path changes

Links to More Info: K000152931, BT1966785


1935917 : Users with custom permissions but lacking admin privileges are unable to view certificates and keys via the web UI or the iControl REST API.

Links to More Info: BT1935917

Component: BIG-IQ Local Traffic & Management

Symptoms:
- Certificates and keys were visible to the affected user on versions before v8.4.0.
- Non-admin users with appropriate permissions are now unable to view the list of certificates and keys via the UI or iControl REST API.
- Executing the following command for the affected user (e.g., f5testuser) returns an empty set:

curl -su 'f5testuser' http://localhost:8100/mgmt/cm/adc-core/working-config/sys/file/ssl-cert | jq .
Enter host password for user 'f5testuser':
{
  "items": [],
  "generation": 2,
  "lastUpdateMicros": 1755557580126930,
  "kind": "cm:adc-core:working-config:sys:file:ssl-cert:adcsslcertcollectionstate",
  "selfLink": "https://localhost/mgmt/cm/adc-core/working-config/sys/file/ssl-cert"
}

Conditions:
- BIG-IQ running on v8.4.0

Impact:
Users without admin privileges but with custom permissions are unable to manage certificates and keys via the UI or the iControl REST API.

Workaround:
There is no workaround. Install an EHF with the fix for ID1935917 on version 8.4.0 to resolve this issue.

Fix:
The issue is fixed.


1928545 : Postgres CVE-2020-14349: An uncontrolled search path element vulnerability in logical replication.

Links to More Info: K000150943


1928541 : CVE-2019-10164 - PostgreSQL Stack-Based Buffer Overflow via Password Change

Links to More Info: K000150943


1925461-11 : CVE-2016-2053 Linux Kernel Vulnerability

Component: REST Framework and TMOS Platform

Symptoms:
The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel before 4.3 allows attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c.

Conditions:
NA

Impact:
It can lead to DoS and will compromise system availability.

Workaround:
NA

Fix:
DoS issue has been resolved.


1924693-8 : CVE-2020-26939 bouncycastle: Address OAEP decoding side-channel leaking RSA private exponent

Component: REST Framework and TMOS Platform

Symptoms:
Attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.

Conditions:
Bouncy Castle BC versions before 1.61 are vulnerable

Impact:
The vulnerability leaks side-channel information about the RSA private exponent

Workaround:
N/A

Fix:
bouncycastle has been upgraded to 1.61 to address this vulnerability.

Fixed Versions:
8.4.2.1


1923997-9 : CVE-2023-1668-openvswitch: ip proto 0 triggers incorrect handling

Component: REST Framework and TMOS Platform

Symptoms:
A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.

Conditions:
NA

Impact:
It can cause incorrect handling or misrouting of other IP packets, potentially leading to traffic disruption or denial of service.

Workaround:
NA

Fix:
The denial of service issue has been resolved in the package.


1923817-8 : CVE-2017-11499: Constant Hashtable Seeds vulnerability (NodeJS v6.9.1)

Component: REST Framework and TMOS Platform

Symptoms:
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.

Conditions:
NA

Impact:
It can cause high CPU usage and event loop blocking, leading to a remote denial of service.

Workaround:
NA

Fix:
Hash flooding remote DoS issue has been resolved in the package.


1923657-9 : CVE-2022-41858 kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip

Component: REST Framework and TMOS Platform

Symptoms:
A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.

Conditions:
A vulnerable Linux kernel where the SLIP network driver is enabled and a detach operation occurs during sl_tx_timeout().

Impact:
It can trigger a kernel crash (denial of service) and potentially leak kernel memory information.

Workaround:
Upgrade to a Linux kernel version that includes the SLIP driver fix or disable the SLIP driver if it is not required.

Fix:
patch has been applied


1921553-2 : Re-import LTM service with log filter fail with error "Failed copying from source to target: java.lang.RuntimeException: not authenticated"

Component: BIG-IQ Local Traffic & Management

Symptoms:
Re-import fails with the error for LTM service.

Conditions:
After modifying LTM object on BIG-IQ and then triggering a rediscover/re-import, rediscover will succeed but re-import will fail. When prompted with "Resolve Import Conflicts" pop-up window, selecting BIG-IP to replace changes on BIG-IQ, the re-import task will commence but eventually fail.

Impact:
Re-import fails with error.

Workaround:
None.

Fix:
Re-import is now working properly.


1921301 : PostgreSQL Memory Disclosure Vulnerabilities

Links to More Info: K000150746


1893369-10 : CVE-2021-33033 kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c

Component: REST Framework and TMOS Platform

Symptoms:
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.

Conditions:
NA

Impact:
It can either lead to a DOS or cause arbitrary write on the system.

Workaround:
NA

Fix:
The DOS and arbitrary write issue has been resolved in the kernel.


1858553-2 : PostgreSQL vulnerability CVE-2021-32027

Links to More Info: K000151082


1814405-2 : CVE-2024-11187- Bind Vulnerability

Links to More Info: K000150814


1753617-8 : CVE-2023-24621 Untrusted Polymorphic Deserialization to Java Classes

Component: REST Framework and TMOS Platform

Symptoms:
It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.

Conditions:
yamlbeans versions before 1.15 are vulnerable

Impact:
It can result in remote code execution (RCE) or denial of service.

Workaround:
N/A

Fix:
yamlbeans has been patched to address this vulnerability.


1692917-4 : CVE-2024-6232 CPython Tarfile vulnerability

Links to More Info: K000148252, BT1692917


1678793-8 : CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes

Links to More Info: K000141459, BT1678793


1678777-9 : CVE-2022-25869 angular.js : insecure page caching in the browser, which allows interpolation of <textarea> elements.

Links to More Info: K000141459, BT1678777


1678769-8 : CVE-2023-26116 angularjs: Regular Expression Denial of Service via angular.copy()

Links to More Info: K000141463, BT1678769


1673161-5 : CVE-2023-45853 zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6

Links to More Info: K000149884, BT1673161


1623197-4 : CVE-2024-37891 urllib3: proxy-authorization request header is not stripped during cross-origin redirects

Links to More Info: K000140711, BT1623197


1620285 : CVE-2024-38477 Apache HTTPD vulnerability

Links to More Info: K000140784


1589661-4 : CVE-2019-3860 libssh2: Out-of-bounds reads with specially crafted SFTP packets

Links to More Info: K000149288, BT1589661


1589645-4 : CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read

Links to More Info: K000149288, BT1589645


1589489-1 : libssh Vulnerability CVE-2019-3858

Links to More Info: K000148713


1586537-8 : CVE-2024-0985 postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL

Links to More Info: K000140188, BT1586537


1566997-1 : CVE-2016-10349 libarchive: Heap-based buffer over-read in the archive_le32dec function

Links to More Info: K000148259, BT1566997


1566533-6 : CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code

Links to More Info: K000139901, BT1566533


1561689-1 : CVE-2016-10350 libarchive: Heap-based buffer over-read in the archive_read_format_cab_read_header function

Links to More Info: K000148259, BT1561689


1517561-4 : CVE-2023-28484 libxml2: NULL dereference in xmlSchemaFixupComplexType

Links to More Info: K000139641, BT1517561


1474757-4 : CVE-2023-51385 openssh: potential command injection via shell metacharacters

Links to More Info: K000138827, BT1474757


1470177-5 : CVE-2023-46218 curl: information disclosure by exploiting a mixed case flaw

Links to More Info: K000138650, BT1470177


1450481-4 : TMSH hardening

Links to More Info: K32950402, BT1450481


1450181-2 : Improved Permission Handling in REST SNMP Endpoint and TMSH

Links to More Info: K000156581, BT1450181


1429861-10 : CVE-2019-5737: HTTP or HTTPS Denial of Service in keep-alive mode (NodeJS v6)

Component: REST Framework and TMOS Platform

Symptoms:
It was found that the original fix for Slowloris, CVE-2018-12122, was insufficient. It is possible to bypass the server's headersTimeout by sending two specially crafted HTTP requests in the same connection. An attacker could use this flaw to bypass Slowloris protection, resulting in a denial of service.

Conditions:
The server runs a vulnerable Node.js HTTP implementation and accepts persistent connections where an attacker can send two specially crafted HTTP requests on the same connection to bypass headersTimeout.

Impact:
An attacker can bypass Slowloris protections and cause a denial of service by exhausting server connections.

Workaround:
Upgrade to a Node.js version that includes the corrected Slowloris fix and enforce strict request timeouts and connection limits.

Fix:
Upgrade to a Node.js version with the updated Slowloris fix and enforce strict request timeout and connection limits.


1407837-1 : libssh2 vulnerability CVE-2020-22218

Links to More Info: K000138219, BT1407837


1393733-6 : CVE-2022-43750 kernel: memory corruption in usbmon driver

Links to More Info: K000139700, BT1393733


1366025-15 : A particular HTTP/2 sequence may cause high CPU utilization.

Links to More Info: K000137106, BT1366025


1330801-7 : NodeJS Vulnerability CVE-2018-12123, CVE-2018-12121, CVE-2018-12122

Links to More Info: K000137090, BT1330801


1330721-7 : Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116

Links to More Info: K000137093, BT1330721


1327169-6 : CVE-2023-24329 python: urllib.parse url blocklisting bypass

Links to More Info: K000135921, BT1327169


1324085-11 : Multiple OpenSSL Vulnerabilities

Links to More Info: K000137969, BT1324085


1304081-1 : CVE-2023-2650 openssl: Possible DoS translating ASN.1 object identifiers

Links to More Info: K000135178, BT1304081


1271341-8 : Unable to use DTLS without TMM crashing

Links to More Info: K000160901, BT1271341


1270257-7 : CVE-2023-0662 php: DoS vulnerability when parsing multipart request body

Links to More Info: K000133753, BT1270257


1266853-11 : CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts

Links to More Info: K000133052, BT1266853


1173825-5 : Improper sanitisation in Qkview data

Links to More Info: K000157895, BT1173825


1167897-10 : [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c

Links to More Info: K44454157, BT1167897


1144421-1 : CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation

Component: REST Framework and TMOS Platform

Symptoms:
cpio does not properly validate the values written in the header of a TAR file through the to_oct() function. When creating a TAR file from a list of files and one of those is another TAR file with a big size, cpio will generate the resulting file with the content extracted from the input one. This leads to unexpected results as the newly generated TAR file could have files with permissions the owner of the input TAR file did not have or in paths he did not have access to.

Conditions:
Occurs when creating tar archives with unvalidated or specially crafted input filenames.

Impact:
This vulnerability may generate malformed tar files, leading to interoperability issues or unexpected behavior in downstream tools.

Workaround:
NA

Fix:
Patched python to fix the vulnerability.


1099369-6 : CVE-2018-25032 [NodeJS]zlib: A flaw found in zlib, when compressing (not decompressing!) certain inputs.

Links to More Info: K21548854, BT1099369


1099365-6 : CVE-2018-25032 [NodeJS]zlib: A flaw found in zlib, when compressing (not decompressing!) certain inputs.

Links to More Info: K21548854


1093933-6 : CVE-2020-7774 nodejs-y18n prototype pollution vulnerability

Component: REST Framework and TMOS Platform

Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality.

Conditions:
N/A

Impact:
Denial of service or in rare circumstances, impact to data integrity or confidentiality

Workaround:
N/A

Fix:
The library has been patched to address the vulnerability.


1093685-6 : CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it

Links to More Info: K52379673, BT1093685


1089921-7 : Vim vulnerability CVE-2022-0359

Links to More Info: K08827426, BT1089921


1089233-6 : CVE-2022-0492 Linux kernel vulnerability

Links to More Info: K54724312


1088445-10 : CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body

Links to More Info: K67090077, BT1088445


1086325-9 : CVE-2016-4658 libxml2 vulnerability

Links to More Info: K49419538, BT1086325


1070905-1 : CVE-2017-7656 jetty: HTTP request smuggling using the range header

Links to More Info: K21054458, BT1070905


1069949-5 : CVE-2018-1000007 curl: HTTP authentication leak in redirects

Component: REST Framework and TMOS Platform

Symptoms:
libcurl might accidentally leak authentication data to third parties.

When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value.

Sending the same set of headers to subsequent hosts is, in particular, a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy-sensitive information or data that could allow others to impersonate the libcurl-using client's request.

Conditions:
NA

Impact:
Sensitive information could be disclosed to an unauthorised user

Workaround:
NA

Fix:
Patched curl to fix the vulnerability.


1061969-24 : Postgresql package upgrade to 15.0 version

Links to More Info: K000149329, BT1061969


1061485-7 : CVE-2019-19527: Linux kernel vulnerability

Component: REST Framework and TMOS Platform

Symptoms:
A vulnerability was found in hiddev_open in drivers/hid/usbhid/hiddev.c in the USB Human Interface Device class subsystem, where an existing device must be validated prior to its access. The device should also ensure the hiddev_list cleanup occurs at failure, as this may lead to a use-after-free problem, or possibly escalate privileges to an unauthorized user.

Conditions:
NA

Impact:
Unauthorised access to BIGIP device

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.


1059229-1 : CVE-2019-16994 kernel: Memory leak in sit_init_net() in net/ipv6/sit.c

Component: REST Framework and TMOS Platform

Symptoms:
A flaw was found in the way the sit_init_net function in the Linux kernel handled resource cleanup on errors. This flaw allows an attacker to use the error conditions to crash the system.

Conditions:
Linux kernel versions before 5.0

Impact:
It can result in DoS.

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.


1058701 : CVE-2021-25219 : BIND exploitation of broken authoritative servers

Links to More Info: K77326807


1058197-7 : CVE-2019-14973: LibTIFF Vulnerability

Links to More Info: K000157984, BT1058197


1057393-4 : CVE-2019-18197 libxslt vulnerability: use after free in xsltCopyText

Links to More Info: K10812540, BT1057393


1057141-1 : CVE-2018-14647 python: Missing salt initialization in _elementtree.c module

Links to More Info: K000151007, BT1057141


1055925-3 : TMM may crash while processing traffic on AWS

Links to More Info: K34511555, BT1055925


1052477-8 : CVE-2020-10751 kernel: SELinux netlink permission check bypass

Component: REST Framework and TMOS Platform

Symptoms:
A flaw was found in the Linux kernel SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.

Conditions:
NA

Impact:
A local attacker could bypass SELinux restrictions, potentially leading to unauthorized access, privilege escalation, or, in some scenarios, a system crash (denial of service).

Workaround:
NA

Fix:
Applied patch to fix the CVE


1052437-1 : CVE-2019-19532 kernel: malicious USB devices can lead to multiple out-of-bounds write

Component: REST Framework and TMOS Platform

Symptoms:
In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.

Conditions:
NA

Impact:
In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.

Workaround:
NA

Fix:
Patched kernel to fix this vulnerability


1052433-1 : CVE-2019-19530: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver

Component: REST Framework and TMOS Platform

Symptoms:
use-after-free flaw was found in the acm_probe USB subsystem in the Linux kernel. A race condition occurs when a destroy() procedure is initiated allowing the refcount to decrement on the interface so early that it is never undercounted. A malicious USB device is required for exploitation. System availability is the largest threat from the vulnerability, however, data integrity and confidentiality are also threatened.

Conditions:
NA

Impact:
A malicious USB device is required for exploitation. System availability is the largest threat from the vulnerability, however, data integrity and confidentiality are also threatened.

Workaround:
NA

Fix:
Patched kernel to fix this vulnerability


1052333-12 : CVE-2018-16885: Linux kernel vulnerability

Component: REST Framework and TMOS Platform

Symptoms:
A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length. This can cause a read beyond the buffer boundaries flaw and, in certain cases, cause a memory access fault and a system halt by accessing an invalid memory address.

Conditions:
NA

Impact:
This can cause a read beyond the buffer boundaries flaw.

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.


1052253-12 : CVE-2018-13095 kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c

Component: REST Framework and TMOS Platform

Symptoms:
An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork.

Conditions:
Linux kernel version up to including 4.17.3 is vulnerable to this CVE.

Impact:
Exploitation of the vulnerability could cause the system to become unavailable (DoS).

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.


1052249-11 : CVE-2018-13094 kernel: NULL pointer dereference in xfs_da_shrink_inode function

Component: REST Framework and TMOS Platform

Symptoms:
An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A NULL pointer dereference may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. This can lead to a system crash and a denial of service.

Conditions:
NA

Impact:
Exploitation of the vulnerability could cause the system to become unavailable (DoS).

Workaround:
Limit physical or local access to the system

Fix:
Patched kernel to fix the vulnerability.


1052245-6 : CVE-2018-13093 kernel: NULL pointer dereference in lookup_slow function

Component: REST Framework and TMOS Platform

Symptoms:
An issue was discovered in the XFS filesystem in fs/xfs/xfs_icache.c in the Linux kernel. There is a NULL pointer dereference leading to a system panic in lookup_slow() on a NULL inode->i_ops pointer when doing path walks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during an allocation.

Conditions:
Linux kernel versions before 4.17.3 are vulnerable

Impact:
It can result in DoS.

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.


1052217-11 : CVE-2018-19985 kernel: oob memory read in hso_probe in drivers/net/usb/hso.c

Component: REST Framework and TMOS Platform

Symptoms:
A flaw was found in the Linux kernel in the function hso_probe() which reads if_num value from the USB device (as an u8) and uses it without a length check to index an array, resulting in an OOB memory read in hso_probe() or hso_get_config_data(). An attacker with forged USB device with a physical access to a system (needed to connect such a device) can cause a system crash and a denial-of-service.

Conditions:
NA

Impact:
The primary impact of this vulnerability is a denial-of-service (DoS) due to the kernel crash

Workaround:
NA

Fix:
Patched kernel to fix the vulnerability.


1051869-6 : CVE-2018-20169: Linux kernel vulnerability

Component: REST Framework and TMOS Platform

Symptoms:
A flaw was discovered in the Linux kernel's USB subsystem in the __usb_get_extra_descriptor() function in the drivers/usb/core/usb.c which mishandles a size check during the reading of an extra descriptor data. By using a specially crafted USB device which sends a forged extra descriptor, an unprivileged user with physical access to the system can potentially cause a privilege escalation or trigger a system crash or lock up and thus to cause a denial of service (DoS).

Conditions:
NA

Impact:
Unauthorized access to sensitive information, Unauthorized modification or corruption of data

Workaround:
Limit access to the affected systems to trusted networks or users.

Fix:
Patched kernel to fix the vulnerability.


1051769-5 : CVE-2019-10140 kernel: overlayfs: NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c

Component: REST Framework and TMOS Platform

Symptoms:
An attacker with local access can create a denial of service situation via a NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with the ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).

Conditions:
Linux kernel versions before 3.10 are vulnerable

Impact:
It can result in DoS.

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.


1051697-8 : CVE-2019-11833 kernel: fs/ext4/extents.c leads to information disclosure

Component: REST Framework and TMOS Platform

Symptoms:
A flaw was found in the Linux kernels implementation of ext4 extent management which did not correctly initialize memory regions in the extent tree block which may be exported to a local user to obtain sensitive information by reading empty/uninitialized data from the filesystem.

Conditions:
Linux kernel versions before 5.1.2 are vulnerable

Impact:
It can result in information disclosure

Workaround:
N/A

Fix:
kernel has been patched to address this vulnerability.


1043977-7 : CVE-2021-3672 CVE-2021-22931 NodeJS Vulnerabilities in iAppLX

Links to More Info: K53225395, BT1043977


1041141-1 : CVE-2021-35942 glibc: Arbitrary read in wordexp()

Links to More Info: K98121587, BT1041141


1038149 : WS-2019-0063

Component: BIG-IQ System User Interface

Symptoms:
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Conditions:
This issue is only exploitable if the product uses js-yaml < 3.13.1 and parses attacker-controlled YAML using the load() API. If YAML is not coming from an untrusted external source (or if safeLoad() is used), then there is no practical exploit path.

Impact:
If an application uses js-yaml < 3.13.1 and parses attacker-controlled input with the unsafe load() API, an attacker can achieve arbitrary code execution in the process—leading to data theft, service disruption, privilege escalation or lateral movement.

Workaround:
Upgrade js-yaml to version 3.13.1 or later

Fix:
Upgrade js-yaml to version 3.13.1 or later

Fixed Versions:
8.3.0


1035781-2 : CVE-2021-33909: Linux Kernel Vulnerability

Links to More Info: K75133288, BT1035781


1021245-4 : CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive

Links to More Info: K78284681, BT1021245


1017965-7 : BIND Vulnerability CVE-2021-25214

Links to More Info: K11426315, BT1017965


1016657-6 : TMM may crash while processing LSN traffic

Links to More Info: K54082580, BT1016657


1004881-9 : Update angular, jquery, moment, axios, and lodash libraries in AGC

Links to More Info: K12492858, BT1004881


1001369-5 : D-Bus vulnerability CVE-2020-12049

Links to More Info: K16729408, BT1001369



Known Issues in BIG-IQ CM v8.4.x


BIG-IQ Local Traffic & Management Issues

ID Number Links to More Info Description
2292005-1 Self-Signed Certificates Generated for Venafi Requests by Limited Users in BIG-IQ 8.4.0
1576437-1 BT1576437 When generating a CSR with a custom partition Venafi certificate stored in the wrong partition with 'Base64' format.

BIG-IQ Device Management Issues

ID Number Links to More Info Description
2240913-4 BT2240913 Qkview in BIG-IP v17.5.1.4 and v17.5.1.5 fails to include many files
2313605-1 Upgrade from BIG-IQ 8.4.1 Fails Due to Missing Elasticsearch Configuration Files

REST Framework and TMOS Platform Issues

ID Number Links to More Info Description
2221017-5 BT2221017 The BIG-IP virtio driver may core during startup
1696741-1 BT1696741 Error: ha-quorum: Username and/or password is incorrect

BIG-IQ Web Application Security (ASM) Issues

ID Number Links to More Info Description
1316593-2 An error occurs when importing an ASM Policy containing the same URLs but with different HTTP request methods

BIG-IQ Application Management Issues

ID Number Links to More Info Description
2292537-1 BT2292537 AS3 Templates Fail to Render in BIG-IQ Applications GUI After Upgrade Due to "iRule"/"IRule" Key Change
2162173-1 Pool Class Displays Incorrect Values for Monitors Parameter
2162169-1 Pool Class Displays Incorrect Values for Server Addresses Parameter
2162157-1 Unable to set virtual server IP address when using an AS3 application template on the webUI
2162077-1 Service_TCP Class Fails to Accept Integer Value for virtualPort Parameter
2144153-1 The script parameter is shown for all monitor types instead of external monitor
2122841-1 While creating Application Services, having a Monitor Type that is editable does not work
2122837-1 Big-IQ: AS3 Templates All Monitor_ classes fail
2107121-1 The environment variables are not displayed as key-value pairs for the external monitor type
2163505-1 AS3 Templates Display Unexpected Parameter Ordering in Classes

Known Issue details for BIG-IQ CM v8.4.x

2313605-1 : Upgrade from BIG-IQ 8.4.1 Fails Due to Missing Elasticsearch Configuration Files

Component: BIG-IQ Device Management

Symptoms:
Upgrade attempts from BIG-IQ 8.4.1, including both Final and Engineering Hotfix builds, to any later version may fail. The issue can also affect upgrades between versions derived from BIG-IQ 8.4.1. This occurs because required Elasticsearch configuration files are missing, preventing SSL communication between devices during the upgrade process.

Conditions:
This issue may occur under the following conditions:

- The system is upgraded from BIG-IQ 8.4.1, including Final and Engineering Hotfix builds.
- One or more Data Collection Devices (DCDs) are present in the configuration.
- The upgrade is performed to a later BIG-IQ version or between versions derived from BIG-IQ 8.4.1.

Impact:
The upgrade process fails, preventing SSL communication between devices from being established. As a result, the upgrade cannot be completed successfully.

Workaround:
1. To remount the /usr file system in read-write mode, type the following command:
mount -o remount,rw /usr

2. Backup the current cs.dat configuration saved to a file named /usr/libdata/configsync/cs.dat.bak
cp -b /usr/libdata/configsync/cs.dat{,.bak}

3. Execute the following commands:

FILE=/usr/libdata/configsync/cs.dat

if ! grep -q "save.2641.file" "$FILE"; then
    sed -i '/^save\.2640\.file.*elasticsearch\.yml/a\

# elasticsearch ssl certificate files\
save.2641.file = /var/config/rest/elasticsearch/config/es_admin-key.pem\
save.2642.file = /var/config/rest/elasticsearch/config/es_admin.pem\
save.2643.file = /var/config/rest/elasticsearch/config/es_node-key.pem\
save.2644.file = /var/config/rest/elasticsearch/config/es_node.pem\
save.2645.file = /var/config/rest/elasticsearch/config/es_root-ca-key.pem\
save.2646.file = /var/config/rest/elasticsearch/config/es_root-ca.pem' "$FILE"
fi

if ! grep -q "save.6005.ignore" "$FILE"; then
    sed -i '/^save\.6004\.ignore.*remoterole/a\
save.6005.ignore = /config/snmp/snmpd.conf\
save.6006.ignore = /config/net-snmp/snmpd.conf' "$FILE"
fi

FILE=''

4. To remount the /usr file system in read-only mode, type the following command:
mount -o remount,ro /usr

Note: The workaround must be applied before the upgrade process.


2292537-1 : AS3 Templates Fail to Render in BIG-IQ Applications GUI After Upgrade Due to "iRule"/"IRule" Key Change

Links to More Info: BT2292537

Component: BIG-IQ Application Management

Symptoms:
After upgrading BIG-IQ from 8.3.0 to 8.4.0 or 8.4.1, existing AS3 templates display only the "Tenant" field in the Applications GUI. Other parameters (such as Pool, Profile, Service, etc.) are missing and cannot be viewed or edited

Conditions:
-- BIG-IQ upgraded to version 8.4.0 or 8.4.1
-- Existing AS3 templates created with previous versions
-- The template includes an iRule class, where the definition key was "iRule" in the older schema and is now "IRule" in the latest ADC schema
-- Accessing the template via the BIG-IQ Applications GUI

Impact:
Users cannot fully render or edit existing AS3 templates in the Applications GUI, impacting application management and deployment.

Workaround:
None


2292005-1 : Self-Signed Certificates Generated for Venafi Requests by Limited Users in BIG-IQ 8.4.0

Component: BIG-IQ Local Traffic & Management

Symptoms:
When a limited-privilege user requests a certificate through the Venafi integration, BIG-IQ returns a self-signed certificate with a one-year expiration instead of a certificate signed by the internal CA that has a two-year expiration. This issue does not occur for admin users.

Conditions:
-- User is a limited-privilege (non-admin) account
-- Requesting a certificate via Venafi integration in BIG-IQ 8.4.0

Impact:
Non-admin users cannot acquire valid Venafi-signed certificates or import PKCS-12 certificates, hindering effective certificate management and automation.

Workaround:
None


2240913-4 : Qkview in BIG-IP v17.5.1.4 and v17.5.1.5 fails to include many files

Links to More Info: BT2240913

Component: BIG-IQ Device Management

Symptoms:
A QKview collected from a device running BIG-IP v17.5.1.4 or v17.5.1.5 fails to collect

- files in the filestore (/config/filestore)
- per-partition configuration files (/config/partitions/)
- the /config/.diffVersions directory
- the /shared/tmstat directory
- the systemd journal files (/var/log/journal)

And other directories.

Conditions:
BIG-IP system running v17.5.1.4 or v17.5.1.5

Impact:
Qkview is missing important files.

Workaround:
There is no workaround to include these files in a QKview. If the files are necessary for troubleshooting an issue, they must be collected manually.


2221017-5 : The BIG-IP virtio driver may core during startup

Links to More Info: BT2221017

Component: REST Framework and TMOS Platform

Symptoms:
If a failure occurs in the BIG-IP's virtio driver during startup, it may core when attempting to modify statistics that have not yet been initialized.

Conditions:
-- Virtio driver in use.
-- BIG-IP is starting up.
-- An error occurs that is tracked by a statistic.

Impact:
TMM cores and restarts.


2163505-1 : AS3 Templates Display Unexpected Parameter Ordering in Classes

Component: BIG-IQ Application Management

Symptoms:
The parameters are not displayed in alphabetical order for all classes

Conditions:
Modifying classes for an AS3 template

Impact:
The parameters on the page are disordered, requiring a search for each respective parameter

Workaround:
None


2162173-1 : Pool Class Displays Incorrect Values for Monitors Parameter

Component: BIG-IQ Application Management

Symptoms:
The Monitors parameter in the Pool class is displayed with Advanced Schema options through the use of bigip parameters.

Conditions:
While creating a Pool class in the AS3 template

Impact:
The Monitors parameter does not support selecting with HTTP, HTTP2 monitors, etc

Workaround:
None


2162169-1 : Pool Class Displays Incorrect Values for Server Addresses Parameter

Component: BIG-IQ Application Management

Symptoms:
The Server Addresses parameter in the Pool class is displayed with Advanced Schema options through the use of bigip parameters

Conditions:
While creating a Pool class in the AS3 template

Impact:
The Server Addresses parameter does not support adding IP addresses

Workaround:
None


2162157-1 : Unable to set virtual server IP address when using an AS3 application template on the webUI

Component: BIG-IQ Application Management

Symptoms:
Only advanced schema inputs are shown for virtual address.

Conditions:
BIG-IQ v8.4.0 using AS3 application template.

Impact:
Unable to set a new IP address for virtual servers, when trying to deploy an application using BIG-IQ AS3 application templates.

Workaround:
- An EHF is available containing the fix for this issue.
- AS3 on BIG-IQ may also be downgraded to versions pre-v3.54.0 (eg. v3.41.0).


2162077-1 : Service_TCP Class Fails to Accept Integer Value for virtualPort Parameter

Component: BIG-IQ Application Management

Symptoms:
The virtualPort parameter supports advanced schema options for both use and bigip parameters

Conditions:
While creating the Service_TCP class in the AS3 template

Impact:
The virtualPort parameter is missing with integer value support

Workaround:
None


2144153-1 : The script parameter is shown for all monitor types instead of external monitor

Component: BIG-IQ Application Management

Symptoms:
The script parameter is displayed for all monitor types by default, even though it is intended to be displayed for External Monitor type.

Conditions:
Adding a Monitor Class of any monitor type.

Impact:
Displays the script parameter for unsupported monitor types.

Workaround:
None.


2122841-1 : While creating Application Services, having a Monitor Type that is editable does not work

Component: BIG-IQ Application Management

Symptoms:
When the Monitor Type is marked as editable in an Application Template, changing the Monitor Type during Application Service creation does not function by showing the respective Monitor Type definitions.

Conditions:
Monitor Type set as editable in the template and creating an Application Service using the published template.

Impact:
Monitor Type that is editable does not work during creation of application services.

Workaround:
None.


2122837-1 : Big-IQ: AS3 Templates All Monitor_ classes fail

Component: BIG-IQ Application Management

Symptoms:
Monitor_ Classes are visible in the webUI, which are definitions of Monitor Class based on monitorType.

Conditions:
Modifying Classes for an AS3 template.

Impact:
Add/Remove Classes dropdown displays "Monitor_" Classes along with the Monitor Class.

Workaround:
None.


2107121-1 : The environment variables are not displayed as key-value pairs for the external monitor type

Component: BIG-IQ Application Management

Symptoms:
When using the external monitor type, environment variables are not displayed as key-value pairs. Instead, they are shown in a single text field where values must be entered as a string.

Conditions:
Using the external monitor type in the application template and editing environment variables in the template containing Monitor class.

Impact:
Environment variables cannot be edited in the standard key-value pair format for external monitors.

Workaround:
None.


1696741-1 : Error: ha-quorum: Username and/or password is incorrect

Links to More Info: BT1696741

Component: REST Framework and TMOS Platform

Symptoms:
Setting up automatic HA failover returns an error similar to the following:

An error occurred while adding the BIG-IQ: Error: ha-secondary: Username and/or password is incorrect Error: ha-quorum: Username and/or password is incorrect Error: ha-primary: Username and/or password is incorrect

Restjavad log on primary CM would have an entry similar to the following:

[WARN][01 Jan 2024 01:00:00 UTC][/shared/ha/add-peer-task/abcdefgh-1234-abcd-1234-abcdefghijkl/worker AddPeerTaskWorker] [/bin/bash, -c, /usr/bin/ha_corosync_config.sh -p <primary_discovery_ip> -s <secondary_discovery_ip> -q <quorum_discovery_ip> -r primary -a <floating_ip> -m] failed with exit code 1, stdout: haclient:x:189:hacluster, stderr: Error: ha-quorum: Username and/or password is incorrect
Error: ha-secondary: Username and/or password is incorrect
Error: ha-primary: Username and/or password is incorrect

Conditions:
- BIG-IQ CMs and DCD (Quorum) are configured to remotely authenticate (eg. TACACS+) users for CLI access.

Impact:
The user 'hacluster' could not be authenticated remotely, hence the HA autofailover setup task fails.

Workaround:
If the issue has already occurred, the cluster would need to be rebuilt by running the following on the primary and secondary CMs and on DCDs:

ha_reset -f <device local discovery IP>
reset-data-collection-cluster

Add 'hacluster' user in the CMs and Quorum DCD's /config/bigip/auth/localusers. Note that this will not survive reboots.

Add at least one DCD into the cluster that will be used as quorum device, then configure the autofailover HA.

Use the guide in https://my.f5.com/manage/s/article/K11948 for creating a script that would add hacluster user into /config/bigip/auth/localusers everytime that the CMs and Quorum device reboot.


1576437-1 : When generating a CSR with a custom partition Venafi certificate stored in the wrong partition with 'Base64' format.

Links to More Info: BT1576437

Component: BIG-IQ Local Traffic & Management

Symptoms:
Venafi certificate is stored in the wrong partition when generating a CSR with a custom partition.

Conditions:
When generating a CSR with a custom partition in 'Base64' format.

Impact:
Venafi certificate is stored in the wrong partition

Workaround:
None


1316593-2 : An error occurs when importing an ASM Policy containing the same URLs but with different HTTP request methods

Component: BIG-IQ Web Application Security (ASM)

Symptoms:
BIG-IQ restjavad log file would show an error similar to the following when importing configuration from a BIG-IP ASM device:

[/cm/asm/tasks/discover-config/4e3b4176-308e-4591-8468-4ef9719efdc2/worker AsmDiscoveryTaskWorker] Error while creating 'ASM Policy - Url' 'null' in current-config: http://localhost:8100/cm/asm/current-config/policies/343a57d0-1c6f-36f0-b0a9-fb4647bbe1d5/urls, and while creating 'ASM Policy - Url' 'null' in current-config: http://localhost:8100/cm/asm/current-config/policies/343a57d0-1c6f-36f0-b0a9-fb4647bbe1d5/urls, and while creating 'ASM Policy - Url' 'null' in current-config: http://localhost:8100/cm/asm/current-config/policies/343a57d0-1c6f-36f0-b0a9-fb4647bbe1d5/urls, and while creating 'ASM Policy - Url' 'null' in current-config: http://localhost:8100/cm/asm/current-config/policies/343a57d0-1c6f-36f0-b0a9-fb4647bbe1d5/urls : java.lang.IllegalArgumentException: Duplicate item. Key already exists: protocol : http, name : /test/duplicateUrl

In this example, inspecting the affected ASM policy from the BIG-IP ASM that is being imported should reveal that one of the affected URLs would have multiple allowed URL entries for "/test/duplicateUrl", but those entries would have different HTTP request methods.

Conditions:
- Multiple entries in the ASM policy for the same URL but with different HTTP request methods.

Impact:
Unable to import ASM policy configuration from the BIG-IP ASM device.

Workaround:
The feature for having multiple entries for the same allowed URLs having different HTTP request methods is not yet implemented for BIG-IQ v8.3.0.

Avoid using multiple entries for the same allowed URLs.

If the feature is absolutely necessary, install an EHF for ID1316593.




*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************