Updated Date: 05/28/2026
Version: 8.4.2
Build: 27.0
Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.
| The blue background highlights fixes |
Cumulative fixes from BIG-IQ CM v8.4.1 that are included in this release
Known Issues in BIG-IQ CM v8.4.x
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 2221517-5 | CVE-2026-42406 | K000160971 | BIG-IP SCP hardening | 8.4.2 |
| 2221445-5 | CVE-2026-32643 | K000160972, BT2221445 | Improving scripts of Failover | 8.4.2 |
| 2221413-5 | CVE-2026-42406 | K000160971, BT2221413 | SCP Improvement | 8.4.2 |
| 2216645-4 | CVE-2026-34176 | K000160857, BT2216645 | UCS Backup Improvements | 8.4.2 |
| 725912 | CVE-2018-3665 | K21344224 | CVE-2018-3665: Intel Lazy FPU Vulnerability | 8.4.2 |
| 2198369-1 | CVE-2022-31129 | K000157365 | CVE-2022-31129 - Multiple Libraries - bigiq-analytics-ui | 8.4.2 |
| 2198065-1 | CVE-2021-41184 | K50455702 | CVE-2021-41184 - jquery-ui-1.12.1.tgz - bigiq-mgmt-ui | 8.4.2 |
| 2198053-1 | CVE-2022-31129 | K000157365 | CVE-2022-31129 - moment-2.29.1.tgz - bigiq-mgmt-ui | 8.4.2 |
| 2198049-1 | CVE-2022-31160 | K000134507 | CVE-2022-31160 - jquery-ui-1.12.1.tgz - bigiq-mgmt-ui | 8.4.2 |
| 1967025-5 | CVE-2026-40462 | K000156581, BT1967025 | Improved Permission Handling in REST SNMP Endpoint and TMSH | 8.4.2 |
| 1966841-7 | CVE-2023-39417 | K000152931, BT1966841 | CVE-2023-39417 postgresql: extension script @substitutions@ within quoting allow SQL injection | 8.4.2 |
| 1966785-7 | CVE-2023-2454 | K000152931, BT1966785 | CVE-2023-2454 postgresql: schema_element defeats protective search_path changes | 8.4.2 |
| 1450181-2 | CVE-2026-40462 | K000156581, BT1450181 | Improved Permission Handling in REST SNMP Endpoint and TMSH | 8.4.2 |
| 1099369-6 | CVE-2018-25032 | K21548854, BT1099369 | CVE-2018-25032 [NodeJS]zlib: A flaw found in zlib, when compressing (not decompressing!) certain inputs. | 8.4.2 |
| 2053165-1 | CVE-2025-47268 | K000158112, BT2053165 | CVE-2025-47268 iputils: Signed Integer Overflow in Timestamp Multiplication in iputils ping | 8.4.2 |
| 1971593-6 | CVE-2023-2455 & CVE-2024-7348 | K000152931 | CVE-2023-2455 & CVE-2024-7348 PostgreSQL Vulnerabilities | 8.4.2 |
| 1966793-8 | CVE-2023-2455 | K000152931 | CVE-2023-2455 postgresql: row security policies disregard user ID changes after inlining. | 8.4.2 |
| 1928545 | CVE-2020-14349 | K000150943 | Postgres CVE-2020-14349: An uncontrolled search path element vulnerability in logical replication. | 8.4.2 |
| 1814405-2 | CVE-2024-11187 | K000150814 | CVE-2024-11187- Bind Vulnerability | 8.4.2 |
| 1324085-11 | CVE-2023-3446,CVE-2023-3817 | K000137969, BT1324085 | Multiple OpenSSL Vulnerabilities | 8.4.2 |
Functional Change Fixes
None
BIG-IQ Local Traffic & Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 2256705 | 3-Major | BT2256705 | Re-importing BIG-IP LTM device into BIG-IQ fails with "not authenticated" error when log-config filter/publisher objects are out of sync | 8.4.2 |
| 2251889 | 3-Major | BT2251889 | "dependsOn" property shown as changed for DNS A and AAAA Pool Members during configuration evaluation | 8.4.2 |
| 2219809 | 3-Major | BT2219809 | Unable to import Certificate with a custom silo | 8.4.2 |
| 2198921 | 3-Major | CSR Attributes of certificates created by custom‑role users are not visible to the same user | 8.4.2 |
BIG-IQ Configuration - Infrastructure Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 2219357 | 3-Major | BT2219357 | BIG-IP ASM configurations cannot be imported into BIG-IQ if the geolocation includes Curaçao (CW), Sint Maarten (SX), or South Sudan (SS). | 8.4.2 |
BIG-IQ Device Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 2251877 | 3-Major | BT2251877 | BIG-IQ API assigns incorrect Utility license offering when multiple SKUs share substring names | 8.4.2 |
| 2230133 | 3-Major | BT2230133 | The QKView does not include elasticsearch.yml configuration file on BIG-IQ | 8.4.2 |
| 2139221 | 3-Major | BT2139221 | Incorrect link reference to the internal F5 licensing service when activating BIG-IQ license | 8.4.2 |
REST Framework and TMOS Platform Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1923657-9 | 0-Unspecified | CVE-2022-41858 kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip | 8.4.2 | |
| 2263745-6 | 2-Critical | CVE-2026-1519 bind: BIND: Denial of Service via maliciously crafted DNSSEC-validated zone | 8.4.2 | |
| 2228901 | 2-Critical | BIG-IQ Upgrade to 8.4.1 Breaks Single-NIC Deployments, Resulting in UI Access Loss | 8.4.2 | |
| 2286445 | 3-Major | CVE-2025-69873: Regular Expression Denial of Service (ReDoS) Vulnerability in ajv | 8.4.2 | |
| 2286349 | 3-Major | CVE-2026-4800: Vulnerability in lodash | 8.4.2 | |
| 2286313 | 3-Major | CVE-2025-13465: Vulnerability in lodash | 8.4.2 | |
| 2286253 | 3-Major | CVE-2025-13465: Security Vulnerability in lodash | 8.4.2 | |
| 2286177 | 3-Major | CVE-2026-4800: Vulnerability in lodash-es | 8.4.2 | |
| 2198461-1 | 3-Major | CVE-2025-64718: Security Vulnerability in js-yaml | 8.4.2 | |
| 2198385-1 | 3-Major | CVE-2025-5889: Vulnerability in brace-expansion | 8.4.2 | |
| 2198233-1 | 3-Major | CVE-2025-5889 - brace-expansion: juliangruber brace-expansion index.js expand redos | 8.4.2 | |
| 2197965-1 | 3-Major | CVE-2025-64718 js-yaml vulnerability | 8.4.2 | |
| 2046917 | 3-Major | BT2046917 | Non-essential services (hwpd, ipsd, updated) show as "normally up" on BIG-IQ | 8.4.2 |
| 1893369-10 | 3-Major | CVE-2021-33033 kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c | 8.4.2 | |
| 2197085-1 | 4-Minor | CVE-2022-41862 postgresql: Client memory disclosure when connecting with Kerberos to modified server | 8.4.2 | |
| 2186153-5 | 4-Minor | CVE-2025-8194 cpython: Cpython infinite loop when parsing a tarfile | 8.4.2 | |
| 1429861-10 | 4-Minor | CVE-2019-5737: HTTP or HTTPS Denial of Service in keep-alive mode (NodeJS v6) | 8.4.2 | |
| 1052477-8 | 4-Minor | CVE-2020-10751 kernel: SELinux netlink permission check bypass | 8.4.2 |
Cumulative fixes from BIG-IQ CM v8.4.1 that are included in this release
Vulnerability Fixes
| ID Number | CVE | Links to More Info | Description | Fixed Versions |
| 974093-6 | CVE-2020-25705 | K09604370 | Linux kernel vulnerability CVE-2020-25705 | |
| 940317-12 | CVE-2020-13692 | K23157312, BT940317 | CVE-2020-13692: PostgreSQL JDBC Driver vulnerability | 8.4.0, 8.2.0 |
| 933501-2 | CVE-2021-22974 | K68652018 | iControl REST vulnerability CVE-2021-22974 | |
| 2140641-6 | CVE-2025-40778 | K000157334 | CVE-2025-40778: Bind Vulnerability | |
| 2140621-5 | CVE-2025-8677 | K000157317, BT2140621 | CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling | |
| 2137581-9 | CVE-2026-40629 | K000158978, BT2137581 | TMM core may occur under certain conditions | |
| 2131233-3 | CVE-2026-41227 | K000158979, BT2131233 | ADM not functioning properly | |
| 2130601-5 | CVE-2026-41957 | K000156761, BT2130601 | TMUI Request Processing Improvement | |
| 2078425-2 | CVE-2026-20916 | K000158029 | BIG-IQ Request Handling Improvements | |
| 2013225-2 | CVE-2021-34798 | K72382141 | CVE-2021-34798: Apache HTTP Server NULL pointer dereference via malformed requests (availability/DoS) | |
| 1620285 | CVE-2024-38477 | K000140784 | CVE-2024-38477 Apache HTTPD vulnerability | |
| 1271341-8 | CVE-2026-42920 | K000160901, BT1271341 | Unable to use DTLS without TMM crashing | |
| 1061969-24 | CVE-2015-3166, CVE-2019-10208, CVE-2021-32027, CVE-2020-25695, CVE-2019-10127, CVE-2016-0766, CVE-2018-10925, CVE-2020-25694, CVE-2019-10128, CVE-2020-25696, CVE-2016-0773, CVE-2018-10915, CVE-2020-14350, CVE-2020-14349, CVE-2021-32028, CVE-2020-1720, CVE-2021-32029, CVE-2017-7485, CVE-2014-0066, CVE-2015-5289, CVE-2014-0063, CVE-2014-0062, CVE-2014-0065, CVE-2014-0060, CVE-2014-0061, CVE-2014-0064, CVE-2019-10130 | K000149329, BT1061969 | Postgresql package upgrade to 15.0 version | |
| 1004881-9 | CVE-2015-9251,CVE-2016-7103,CVE-2017-18214,CVE-2018-16487,CVE-2018-3721,CVE-2019-1010266,CVE-2019-10744,CVE-2019-10768,CVE-2019-10768,CVE-2019-11358,CVE-2020-11022,CVE-2020-11023,CVE-2020-28168,CVE-2020-28500,CVE-2020-7676,CVE-2020-7676,CVE-2020-8203,CVE-2021-23337 | K12492858, BT1004881 | Update angular, jquery, moment, axios, and lodash libraries in AGC | |
| 993681-7 | CVE-2019-18282 | K32380005, BT993681 | CVE-2019-18282 Kernel: Device Tracking Vulnerability | |
| 989373-8 | CVE-2020-14314 | K67830124, BT989373 | CVE-2020-14314 kernel: buffer uses out of index in ext3/4 filesystem | |
| 987813-7 | CVE-2020-25643 | K65234135, BT987813 | CVE-2020-25643 kernel:improper input validation in the ppp_cp_parse_cr function | |
| 987749-10 | CVE-2020-10769 | K62532228, BT987749 | CVE-2020-10769 kernel: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c | |
| 981885-5 | CVE-2020-8285 | K61186963 | CVE-2020-8285 curl: malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used | |
| 975605-7 | CVE-2018-1122 | K00409335, BT975605 | CVE-2018-1122 procps-ng, procps: Local privilege escalation in top | |
| 973409-9 | CVE-2020-1971 | K42910051, BT973409 | CVE-2020-1971 - openssl: EDIPARTYNAME NULL pointer de-reference | |
| 968737-3 | CVE-2018-18397 | K83102920, BT968737 | CVE-2018-18397 : kernel: userfaultfd bypasses tmpfs file permissions | |
| 968725-7 | CVE-2017-10661 | K04337834, BT968725 | Linux Kernel Vulnerability CVE-2017-10661 | |
| 950605-1 | CVE-2020-14145 | K48050136, BT950605 | Openssh insecure client negotiation CVE-2020-14145 | |
| 949889-8 | CVE-2019-3900 | K04107324, BT949889 | CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx() | |
| 945421-8 | CVE-2020-1968 | K92451315, BT945421 | CVE-2020-1968: Raccoon vulnerability | |
| 945109-13 | CVE-2015-9382 | K46641512, BT945109 | Freetype Parser Skip Token Vulnerability CVE-2015-9382 | 8.2.0 |
| 945033-9 | CVE-2019-9636, CVE-2019-10160 | K57542514, BT945033 | Python Vulnerability (CVE-2019-9636): Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization | |
| 928901-7 | CVE-2020-11022 | K02453220 | jQuery vulnerability CVE-2020-11022 | |
| 915981-7 | CVE-2022-26340 | K38271531, BT915981 | BIG-IP SCP hardening | |
| 845381-10 | CVE-2018-14468 | K04367730 | CVE-2018-14468 - TCPDUMP Buffer Over-Read Vulnerability in FRF.16 Parser | |
| 838697 | CVE-2020-5923 | K05975972 | CVE-2020-5923 - Self IP Port Lockdown Bypass Vulnerability | |
| 834153-6 | CVE-2019-13232 | K80311892 | CVE-2019-13232 unzip: overlapping of files in ZIP container | |
| 832757-7 | CVE-2017-18551 | K48073202, BT832757 | Linux kernel vulnerability CVE-2017-18551 | |
| 823877-15 | CVE-2019-10098 CVE-2020-1927 |
K25126370, BT823877 | CVE-2019-10098 and CVE-2020-1927 apache mod_rewrite vulnerability | |
| 819053-8 | CVE-2019-13232 | K80311892, BT819053 | CVE-2019-13232 unzip: overlapping of files in ZIP container | |
| 816413-3 | CVE-2019-1125 | K31085564, BT816413 | CVE-2019-1125: Spectre SWAPGS Gadget | |
| 805793 | CVE-2018-20843 | K51011533 | CVE-2018-20843: libexpat XML parser denial-of-service via excessive colons in XML names (fixed in BIG-IQ 8.4.1) | |
| 798889-1 | CVE-2018-20836 | K11225249, BT798889 | CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free | |
| 760895-1 | CVE-2009-5155 | K64119434, BT760895 | CVE-2009-5155 glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result | |
| 757604-8 | CVE-2019-6109 CVE-2019-6110 CVE-2019-6111 CVE-2018-20685 |
K12252011 | Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111 | |
| 740321-6 | CVE-2022-34851 | K50310001, BT740321 | iControl SOAP API does not follow current best practices | |
| 725045 | CVE-2018-15328 | K42027747 | SNMP traps do not follow current best practices | |
| 617963 | CVE-2015-1283 | K15104541 | CVE-2015-1283: Heap-buffer-overflow in expat. | |
| 1983321-4 | CVE-2025-48976 | K000152614, BT1983321 | CVE-2025-48976 apache-commons-fileupload: Apache Commons FileUpload DoS via part headers | |
| 1966849-7 | CVE-2023-5869 | K000152931, BT1966849 | CVE-2023-5869 postgresql: Buffer overrun from integer overflow in array modification | |
| 1928541 | CVE-2019-10164 | K000150943 | CVE-2019-10164 - PostgreSQL Stack-Based Buffer Overflow via Password Change | |
| 1858553-2 | CVE-2021-32027 | K000151082 | PostgreSQL vulnerability CVE-2021-32027 | |
| 1678793-8 | CVE-2019-14863 | K000141459, BT1678793 | CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes | |
| 1678777-9 | CVE-2022-25869 | K000141459, BT1678777 | CVE-2022-25869 angular.js : insecure page caching in the browser, which allows interpolation of <textarea> elements. | |
| 1589661-4 | CVE-2019-3860 | K000149288, BT1589661 | CVE-2019-3860 libssh2: Out-of-bounds reads with specially crafted SFTP packets | |
| 1589645-4 | CVE-2019-3859 | K000149288, BT1589645 | CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read | |
| 1589489-1 | CVE-2019-3858 | K000148713 | libssh Vulnerability CVE-2019-3858 | |
| 1517561-4 | CVE-2023-28484 | K000139641, BT1517561 | CVE-2023-28484 libxml2: NULL dereference in xmlSchemaFixupComplexType | |
| 1450481-4 | CVE-2026-41954 | K32950402, BT1450481 | TMSH hardening | |
| 1407837-1 | CVE-2020-22218 | K000138219, BT1407837 | libssh2 vulnerability CVE-2020-22218 | |
| 1393733-6 | CVE-2022-43750 | K000139700, BT1393733 | CVE-2022-43750 kernel: memory corruption in usbmon driver | |
| 1366025-15 | CVE-2023-44487 | K000137106, BT1366025 | A particular HTTP/2 sequence may cause high CPU utilization. | |
| 1330721-7 | CVE-2018-12115, CVE-2018-12116, CVE-2018-7167 | K000137093, BT1330721 | Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116 | |
| 1327169-6 | CVE-2023-24329 | K000135921, BT1327169 | CVE-2023-24329 python: urllib.parse url blocklisting bypass | |
| 1270257-7 | CVE-2023-0662 | K000133753, BT1270257 | CVE-2023-0662 php: DoS vulnerability when parsing multipart request body | |
| 1266853-11 | CVE-2023-24998 | K000133052, BT1266853 | CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts | |
| 1173825-5 | CVE-2026-41219 | K000157895, BT1173825 | Improper sanitisation in Qkview data | |
| 1167897-10 | CVE-2022-40674 | K44454157, BT1167897 | [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c | 8.3.0 |
| 1099365-6 | CVE-2018-25032 | K21548854 | CVE-2018-25032 [NodeJS]zlib: A flaw found in zlib, when compressing (not decompressing!) certain inputs. | |
| 1093685-6 | CVE-2021-4083 | K52379673, BT1093685 | CVE-2021-4083 kernel: fget: check that the fd still exists after getting a ref to it | |
| 1089921-7 | CVE-2022-0359 | K08827426, BT1089921 | Vim vulnerability CVE-2022-0359 | |
| 1089233-6 | CVE-2022-0492 | K54724312 | CVE-2022-0492 Linux kernel vulnerability | |
| 1088445-10 | CVE-2022-22720 | K67090077, BT1088445 | CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body | |
| 1086325-9 | CVE-2016-4658 | K49419538, BT1086325 | CVE-2016-4658 libxml2 vulnerability | |
| 1070905-1 | CVE-2017-7656 | K21054458, BT1070905 | CVE-2017-7656 jetty: HTTP request smuggling using the range header | |
| 1058701 | CVE-2021-25219 | K77326807 | CVE-2021-25219 : BIND exploitation of broken authoritative servers | |
| 1058197-7 | CVE-2019-14973 | K000157984, BT1058197 | CVE-2019-14973: LibTIFF Vulnerability | |
| 1057393-4 | CVE-2019-18197 | K10812540, BT1057393 | CVE-2019-18197 libxslt vulnerability: use after free in xsltCopyText | |
| 1057141-1 | CVE-2018-14647 | K000151007, BT1057141 | CVE-2018-14647 python: Missing salt initialization in _elementtree.c module | |
| 1055925-3 | CVE-2022-34844 | K34511555, BT1055925 | TMM may crash while processing traffic on AWS | 8.4.2 |
| 1043977-7 | CVE-2021-3672 CVE-2021-22931 |
K53225395, BT1043977 | CVE-2021-3672 CVE-2021-22931 NodeJS Vulnerabilities in iAppLX | |
| 1041141-1 | CVE-2021-35942 | K98121587, BT1041141 | CVE-2021-35942 glibc: Arbitrary read in wordexp() | |
| 1035781-2 | CVE-2021-33909 | K75133288, BT1035781 | CVE-2021-33909: Linux Kernel Vulnerability | |
| 1021245-4 | CVE-2019-20907 | K78284681, BT1021245 | CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive | |
| 1017965-7 | CVE-2021-25214 | K11426315, BT1017965 | BIND Vulnerability CVE-2021-25214 | |
| 1016657-6 | CVE-2022-26517 | K54082580, BT1016657 | TMM may crash while processing LSN traffic | |
| 1001369-5 | CVE-2020-12049 | K16729408, BT1001369 | D-Bus vulnerability CVE-2020-12049 | |
| 939421-8 | CVE-2020-10029 | K38481791, BT939421 | CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow | |
| 887637-6 | CVE-2019-3815 | K22040951, BT887637 | Systemd-journald Vulnerability: CVE-2019-3815 | |
| 713971-3 | CVE-2018-0739 | K08044291 | CVE-2018-0739: OpenSSL Vulnerability | |
| 2113093-2 | CVE-2021-3393 | K000149073 | CVE-2021-3393: Partition constraint violation errors leak values of denied columns | |
| 1921301 | CVE-2021-32028 CVE-2021-32029 | K000150746 | PostgreSQL Memory Disclosure Vulnerabilities | |
| 1692917-4 | CVE-2024-6232 | K000148252, BT1692917 | CVE-2024-6232 CPython Tarfile vulnerability | |
| 1586537-8 | CVE-2024-0985 | K000140188, BT1586537 | CVE-2024-0985 postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL | |
| 1566997-1 | CVE-2016-10349 | K000148259, BT1566997 | CVE-2016-10349 libarchive: Heap-based buffer over-read in the archive_le32dec function | |
| 1566533-6 | CVE-2017-18342 | K000139901, BT1566533 | CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code | |
| 1561689-1 | CVE-2016-10350 | K000148259, BT1561689 | CVE-2016-10350 libarchive: Heap-based buffer over-read in the archive_read_format_cab_read_header function | |
| 1474757-4 | CVE-2023-51385 | K000138827, BT1474757 | CVE-2023-51385 openssh: potential command injection via shell metacharacters | |
| 1470177-5 | CVE-2023-46218 | K000138650, BT1470177 | CVE-2023-46218 curl: information disclosure by exploiting a mixed case flaw | |
| 1330801-7 | CVE-2018-12123, CVE-2018-12121, CVE-2018-12122 | K000137090, BT1330801 | NodeJS Vulnerability CVE-2018-12123, CVE-2018-12121, CVE-2018-12122 | |
| 1304081-1 | CVE-2023-2650 | K000135178, BT1304081 | CVE-2023-2650 openssl: Possible DoS translating ASN.1 object identifiers | |
| 965545-13 | CVE-2020-27617 | K41142448, BT965545 | CVE-2020-27617 : QEMU Vulnerability | |
| 872109-15 | CVE-2019-17563 | K24551552, BT872109 | CVE-2019-17563: Tomcat Vulnerability | |
| 1678769-8 | CVE-2023-26116 | K000141463, BT1678769 | CVE-2023-26116 angularjs: Regular Expression Denial of Service via angular.copy() | |
| 1673161-5 | CVE-2023-45853 | K000149884, BT1673161 | CVE-2023-45853 zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6 | |
| 1623197-4 | CVE-2024-37891 | K000140711, BT1623197 | CVE-2024-37891 urllib3: proxy-authorization request header is not stripped during cross-origin redirects |
Functional Change Fixes
None
BIG-IQ System User Interface Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1038149 | 2-Critical | WS-2019-0063 | 8.3.0 |
BIG-IQ Local Traffic & Management Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1988937-2 | 3-Major | Inability to overwrite an existing cert bundle due to excessive calls to certificate-management | ||
| 1921553-2 | 3-Major | Re-import LTM service with log filter fail with error "Failed copying from source to target: java.lang.RuntimeException: not authenticated" |
REST Framework and TMOS Platform Fixes
| ID Number | Severity | Links to More Info | Description | Fixed Versions |
| 1925461-11 | 0-Unspecified | CVE-2016-2053 Linux Kernel Vulnerability | ||
| 2140909 | 2-Critical | BT2140909 | BIG-IQ: Enable F5 Trusted CA store avoid CA pinning | 8.3.0 |
| 2162989 | 3-Major | BIG-IQ CM is unable to request full cert bundle from Venafi | ||
| 2149233-6 | 3-Major | K000158082, BT2149233 | TMM crashes when using SSL | |
| 2141245-4 | 3-Major | Undisclosed traffic to TMM can lead to resource exhaustion | ||
| 2014237-2 | 3-Major | CVE-2022-29154: rsync client path validation issue may allow overwrite of arbitrary files in target directory | ||
| 1923997-9 | 3-Major | CVE-2023-1668-openvswitch: ip proto 0 triggers incorrect handling | ||
| 1923817-8 | 3-Major | CVE-2017-11499: Constant Hashtable Seeds vulnerability (NodeJS v6.9.1) | ||
| 1093933-6 | 3-Major | CVE-2020-7774 nodejs-y18n prototype pollution vulnerability | ||
| 1753617-8 | 4-Minor | CVE-2023-24621 Untrusted Polymorphic Deserialization to Java Classes | ||
| 1144421-1 | 4-Minor | CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation | ||
| 1069949-5 | 4-Minor | CVE-2018-1000007 curl: HTTP authentication leak in redirects | ||
| 1061485-7 | 4-Minor | CVE-2019-19527: Linux kernel vulnerability | ||
| 1059229-1 | 4-Minor | CVE-2019-16994 kernel: Memory leak in sit_init_net() in net/ipv6/sit.c | ||
| 1052437-1 | 4-Minor | CVE-2019-19532 kernel: malicious USB devices can lead to multiple out-of-bounds write | ||
| 1052433-1 | 4-Minor | CVE-2019-19530: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver | ||
| 1052333-12 | 4-Minor | CVE-2018-16885: Linux kernel vulnerability | ||
| 1052253-12 | 4-Minor | CVE-2018-13095 kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c | ||
| 1052249-11 | 4-Minor | CVE-2018-13094 kernel: NULL pointer dereference in xfs_da_shrink_inode function | ||
| 1052245-6 | 4-Minor | CVE-2018-13093 kernel: NULL pointer dereference in lookup_slow function | ||
| 1052217-11 | 4-Minor | CVE-2018-19985 kernel: oob memory read in hso_probe in drivers/net/usb/hso.c | ||
| 1051869-6 | 4-Minor | CVE-2018-20169: Linux kernel vulnerability | ||
| 1051769-5 | 4-Minor | CVE-2019-10140 kernel: overlayfs: NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c | ||
| 1051697-8 | 4-Minor | CVE-2019-11833 kernel: fs/ext4/extents.c leads to information disclosure |
Cumulative fix details for BIG-IQ CM v8.4.2 that are included in this release
987749-10 : CVE-2020-10769 kernel: A buffer over-read flaw was found in crypto_authenc_extractkeys in crypto/authenc.c
981885-5 : CVE-2020-8285 curl: malicious FTP server can trigger stack overflow when CURLOPT_CHUNK_BGN_FUNCTION is used
Links to More Info: K61186963
974093-6 : Linux kernel vulnerability CVE-2020-25705
Links to More Info: K09604370
949889-8 : CVE-2019-3900: An infinite loop issue was found in the vhost_net kernel module while handling incoming packets in handle_rx()
945033-9 : Python Vulnerability (CVE-2019-9636): Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization
939421-8 : CVE-2020-10029: Pseudo-zero values are not validated causing a stack corruption due to a stack-based overflow
933501-2 : iControl REST vulnerability CVE-2021-22974
Links to More Info: K68652018
928901-7 : jQuery vulnerability CVE-2020-11022
Links to More Info: K02453220
845381-10 : CVE-2018-14468 - TCPDUMP Buffer Over-Read Vulnerability in FRF.16 Parser
Links to More Info: K04367730
838697 : CVE-2020-5923 - Self IP Port Lockdown Bypass Vulnerability
Links to More Info: K05975972
834153-6 : CVE-2019-13232 unzip: overlapping of files in ZIP container
Links to More Info: K80311892
805793 : CVE-2018-20843: libexpat XML parser denial-of-service via excessive colons in XML names (fixed in BIG-IQ 8.4.1)
Links to More Info: K51011533
798889-1 : CVE-2018-20836 kernel: race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c leads to use-after-free
760895-1 : CVE-2009-5155 glibc: parse_reg_exp in posix/regcomp.c misparses alternatives leading to denial of service or trigger incorrect result
757604-8 : Multiple OpenSSH issues: CVE-2018-20685, CVE-2019-6109, CVE-2019-6110, and CVE-2019-6111
Links to More Info: K12252011
725912 : CVE-2018-3665: Intel Lazy FPU Vulnerability
Links to More Info: K21344224
725045 : SNMP traps do not follow current best practices
Links to More Info: K42027747
713971-3 : CVE-2018-0739: OpenSSL Vulnerability
Links to More Info: K08044291
617963 : CVE-2015-1283: Heap-buffer-overflow in expat.
Links to More Info: K15104541
2286445 : CVE-2025-69873: Regular Expression Denial of Service (ReDoS) Vulnerability in ajv
Component: REST Framework and TMOS Platform
Symptoms:
ajv (Another JSON Schema Validator) before 8.18.0 is vulnerable to Regular Expression Denial of Service (ReDoS) when the $data option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax ($data reference), which is passed directly to the JavaScript RegExp() constructor without validation. An attacker can inject a malicious regex pattern (e.g., "^(a|a)*$") combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with $data: true for dynamic schema validation.
Conditions:
This issue arises when the $data feature is enabled in ajv and unvalidated input is passed to runtime schemas containing the pattern keyword.
Impact:
This could render the application unavailable, causing significant operational disruptions. While confidentiality or integrity remain unaffected, availability is severely impacted.
Workaround:
NA
Fix:
This issue has been fixed in BIG-IQ 8.4.2
Fixed Versions:
8.4.2
2286349 : CVE-2026-4800: Vulnerability in lodash
Component: REST Framework and TMOS Platform
Symptoms:
A vulnerability was identified in the lodash-es package from v4.0.0 to v4.18.0(excluding), potentially allowing attackers to manipulate property access or prototype pollution. Exploiting this can enable attackers to execute arbitrary code or modify application behavior.
Conditions:
NA
Impact:
Can lead to unauthorized modification of application behavior, exposing sensitive information, causing data corruption, or enabling arbitrary code execution.
Workaround:
This issue has been fixed in BIG-IQ 8.4.2
Fix:
This issue has been fixed in BIG-IQ 8.4.2
Fixed Versions:
8.4.2
2286313 : CVE-2025-13465: Vulnerability in lodash
Component: REST Framework and TMOS Platform
Symptoms:
A vulnerability exists in Lodash versions 4.0.0 through 4.17.22 impacting the _.unset and _.omit functions. This issue allows attackers to delete methods from global prototypes by passing crafted paths, potentially impacting runtime behavior of applications. While this issue permits deletion, it does not allow overwriting property behavior
Conditions:
NA
Impact:
leading to application instability or service disruption. Confidentiality is not directly impacted, but availability and integrity are at significant risk.
Workaround:
This issue has been fixed in BIG-IQ 8.4.2
Fix:
This issue has been fixed in BIG-IQ 8.4.2
Fixed Versions:
8.4.2
2286253 : CVE-2025-13465: Security Vulnerability in lodash
Component: REST Framework and TMOS Platform
Symptoms:
Lodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the _.unset and _.omit functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes.
The issue permits deletion of properties but does not allow overwriting their original behavior
Conditions:
NA
Impact:
Application instability or service disruption. Confidentiality is not directly impacted, but availability and integrity are at significant risk.
Workaround:
This issue has been fixed in BIG-IQ 8.4.2
Fix:
This issue has been fixed in BIG-IQ 8.4.2
Fixed Versions:
8.4.2
2286177 : CVE-2026-4800: Vulnerability in lodash-es
Component: REST Framework and TMOS Platform
Symptoms:
A vulnerability was identified in the lodash-es package from v4.0.0 to v4.18.0(excluding), potentially allows to manipulate property access or prototype pollution.
Conditions:
The issue arises when the vulnerable version of the lodash-es library is used to process untrusted user-generated inputs.
Impact:
Can lead to unauthorized modification of application behavior, exposing sensitive information, causing data corruption, or enabling arbitrary code execution.
Workaround:
This issue has been fixed in BIG-IQ 8.4.2
Fix:
This issue has been fixed in BIG-IQ 8.4.2
Fixed Versions:
8.4.2
2263745-6 : CVE-2026-1519 bind: BIND: Denial of Service via maliciously crafted DNSSEC-validated zone
Component: REST Framework and TMOS Platform
Symptoms:
A vulnerability in BIND could allow a remote attacker to send a malicious DNSSEC zone, causing high CPU usage and resulting in a denial of service (DoS).
Conditions:
The vulnerability can be exploited when a BIND resolver processes a maliciously crafted DNSSEC-validated zone.
Impact:
An attacker could cause excessive CPU consumption on the BIND resolver, leading to a denial of service (DoS) and disruption of legitimate DNS requests.
Workaround:
Upgrade BIND to the fixed version
Fix:
BIND upgraded to fixed version
Fixed Versions:
8.4.2
2256705 : Re-importing BIG-IP LTM device into BIG-IQ fails with "not authenticated" error when log-config filter/publisher objects are out of sync
Links to More Info: BT2256705
Component: BIG-IQ Local Traffic & Management
Symptoms:
When attempting to re-import a BIG-IP LTM device into BIG-IQ, the operation fails during the COPY_CONFIG step with the following error:
Failed to copy configuration to working-config; reason: Failed copying from source to target: java.lang.RuntimeException: not authenticated
The failure occurs during bulk update operations involving log-config filter and publisher objects.
Conditions:
-- Log-config publisher objects exist on both BIG-IPs
-- Log-config filter object exists only on one BIG-IP
-- After modifying the log-config filter on the BIG-IP with the filter, and re-importing into BIG-IQ, a sync gap is created
-- Re-import triggers a bulk update, targeting the device missing the filter
Impact:
Users are unable to re-import BIG-IP LTM devices into BIG-IQ when log-config filter/publisher objects are out of sync. This blocks configuration management and synchronization between BIG-IQ and BIG-IP devices.
Workaround:
None.
Fix:
Re-importing BIG-IP LTM devices now succeeds even when log-config filter/publisher objects are out of sync. The "not authenticated" error no longer occurs.
Fixed Versions:
8.4.2
2251889 : "dependsOn" property shown as changed for DNS A and AAAA Pool Members during configuration evaluation
Links to More Info: BT2251889
Component: BIG-IQ Local Traffic & Management
Symptoms:
During a configuration evaluation in BIG-IQ for DNS pool members (A and AAAA types), the system consistently reports a difference: the DNS device configuration includes 'dependsOn': [], whereas the BIG-IQ configuration omits the 'dependsOn' property. This leads to persistent false-positive configuration differences during evaluation and deployment.
Conditions:
-- DNS pool member (A or AAAA type) is imported from a DNS device into BIG-IQ
-- Pool member is modified or created in BIG-IQ and pushed to the DNS device
-- The process is performed using Configuration -> Evaluate & Deploy -> DNS in BIG-IQ
Impact:
The evaluation page consistently displays differences for pool members, causing confusion and making it difficult for users to identify actual configuration changes. This affects the reliability of BIG-IQ for managing DNS devices.
Workaround:
None.
Fix:
The transform logic for DNS pool member objects in BIG-IQ has been updated to create the 'dependsOn' property only when dependencies exist. Configuration evaluation now accurately reflects the state of pool members, eliminating false-positive differences.
Fixed Versions:
8.4.2
2251877 : BIG-IQ API assigns incorrect Utility license offering when multiple SKUs share substring names
Links to More Info: BT2251877
Component: BIG-IQ Device Management
Symptoms:
When assigning a Utility license offering via the BIG-IQ API, if multiple offerings have similar SKU names (e.g., one SKU is a substring of another), the API may assign the incorrect license. The system selects the first matching offering from the database, which may not be the intended SKU.
Conditions:
- License pool contains multiple offerings with similar SKU names (e.g., F5-BIG-MSP-A-LTM-12 and F5-BIG-MSP-A-LTM-12-R).
- License assignment is performed using the BIG-IQ API.
- The SKU keyword used in the API request matches more than one offering.
Impact:
The API may assign the wrong license offering, resulting in incorrect licensing of BIG-IP devices. This can affect automation and management workflows, especially for devices that are unreachable or managed only via API.
Workaround:
None
Fix:
The license assignment behavior has been updated to sort offerings by the "name" field in ascending order. This ensures that the shortest, most exact match is chosen when multiple SKUs share a substring name.
Fixed Versions:
8.4.2
2230133 : The QKView does not include elasticsearch.yml configuration file on BIG-IQ
Links to More Info: BT2230133
Component: BIG-IQ Device Management
Symptoms:
When generating a QKView on BIG-IQ, the resulting archive does not include the /var/config/rest/elasticsearch/config/elasticsearch.yml file, which is crucial for troubleshooting Elasticsearch-related issues.
Conditions:
-- QKView is generated on a BIG-IQ system running version 8.4.1.
-- The user extracts and examines the QKView archive.
-- The file /var/config/rest/elasticsearch/config/elasticsearch.yml is missing from the archive.
Impact:
Support and users are unable to review Elasticsearch configuration details from QKView, which can hinder troubleshooting and root cause analysis of Elasticsearch problems.
Workaround:
Manually collect the /var/config/rest/elasticsearch/config/elasticsearch.yml file from the BIG-IQ system and provide it to support as needed.
Fix:
QKView will include the /var/config/rest/elasticsearch/config/elasticsearch.yml file in the archive, allowing for complete Elasticsearch configuration review during troubleshooting.
Fixed Versions:
8.4.2
2228901 : BIG-IQ Upgrade to 8.4.1 Breaks Single-NIC Deployments, Resulting in UI Access Loss
Component: REST Framework and TMOS Platform
Symptoms:
After upgrading BIG-IQ CM or DCD with a single network interface from version 8.4.0 to 8.4.1, the management user interface becomes inaccessible on the default port 443. During the post-upgrade reboot, the system automatically reconfigures itself into single-NIC mode, changing the HTTPS port to 8443 and creating a self IP configuration called self_1nic.
Conditions:
This issue occurs when ALL of the following conditions are met:
-- BIG-IQ system (CM or DCD) has only one network interface (single-NIC configuration)
-- Upgrading from BIG-IQ version 8.4.0 to version 8.4.1
-- The system database variable provision.1nic is set to a non-forced value ("enable" or "disable") before upgrade
Impact:
-- Management UI becomes inaccessible at the expected port 443 (port changes to 8443)
-- Production systems require manual intervention to restore functionality
Workaround:
Force-disable single-NIC auto-detection before initiating the upgrade:
tmsh modify sys db provision.1nic value forced_disable
Fix:
The upgrade process now preserves the provision.1nic setting, preventing incorrect reconfiguration of single-NIC systems. Web UI and device discovery/import function as expected after upgrade.
Fixed Versions:
8.4.2
2221517-5 : BIG-IP SCP hardening
Links to More Info: K000160971
2221445-5 : Improving scripts of Failover
Links to More Info: K000160972, BT2221445
2221413-5 : SCP Improvement
Links to More Info: K000160971, BT2221413
2219809 : Unable to import Certificate with a custom silo
Links to More Info: BT2219809
Component: BIG-IQ Local Traffic & Management
Symptoms:
An error, 'Failed to update cert bundle subcollection,' is displayed when attempting to import a certificate using a custom silo.
Conditions:
Importing a certificate into BIG-IQ with a custom silo (not the default or no-silo) selected during the import process.
Impact:
The certificate cannot be imported under a custom silo.
Workaround:
None.
Fix:
The certificate can be imported successfully under a custom silo.
Fixed Versions:
8.4.2
2219357 : BIG-IP ASM configurations cannot be imported into BIG-IQ if the geolocation includes Curaçao (CW), Sint Maarten (SX), or South Sudan (SS).
Links to More Info: BT2219357
Component: BIG-IQ Configuration - Infrastructure
Symptoms:
When attempting to import a BIG-IP device into BIG-IQ, the operation fails with an error such as:
Failed to copy configuration to working-config; reason: Failed copying from source to target: java.lang.IllegalArgumentException: Invalid country code or country : Curacao
The process may also fail if the configuration includes Curacao (CW), Sint Maarten (SX)
Conditions:
The BIG-IP configuration references the geolocation country codes "CW" (Curaçao), "SX" (Sint Maarten), or "SS" (South Sudan).
Attempting to import this configuration into BIG-IQ.
The geolocations.json file on BIG-IQ does not include these country codes.
Impact:
The BIG-IP device cannot be imported into BIG-IQ if the Address List contains the country codes 'SS,' 'CW,' or 'SX.'
Workaround:
Manually add the following entry for "SS" (South Sudan) to the file /var/config/rest/security/geolocations.json on the BIG-IQ system, then restart the restjavad service:
"SS" :
{
"code" : "SS",
"name" : "South Sudan",
"regions" : [
"Central Equatoria",
"Eastern Equatoria",
"Jonglei",
"Lakes",
"Northern Bahr el-Ghazal",
"Unity",
"Upper Nile",
"Warrap",
"Western Bahr el-Ghazal",
"Western Equatoria"]
},
"CW" :
{
"code" : "CW",
"name" : "Curacao",
"regions" : []
},
"SX" :
{
"code" : "SX",
"name" : "Sint Maarten",
"regions" : []
}
After updating the file, run:
bigstart restart restjavad
Fix:
BIG-IQ now includes the country codes 'CW' (Curaçao), 'SX' (Sint Maarten), and 'SS' (South Sudan) in the geolocations.json file, enabling the successful import of BIG-IP configurations that reference these geolocations.
Fixed Versions:
8.4.2
2216645-4 : UCS Backup Improvements
Links to More Info: K000160857, BT2216645
2198921 : CSR Attributes of certificates created by custom‑role users are not visible to the same user
Component: BIG-IQ Local Traffic & Management
Symptoms:
When a custom-role user creates a certificate, the CSR attributes are not visible unless an admin manually assigns the certificate to the appropriate Resource Group.
Conditions:
This issue occurs when a custom-role user with a custom service role (assigned a Role Type and Resource Group) creates a certificate using a Venafi CA provider. The CSR attributes are not visible to the user who created the certificate.
Impact:
Users with custom service roles are unable to view the CSR attributes for certificates they create, even though they have full permissions on certificate-related objects.
Workaround:
The CSR attributes become visible to the creator once an admin manually adds the certificate to the Resource Group.
Fix:
CSR attributes for a certificate are now visible to the creator, resolved in BIG-IQ 8.4.2.
Fixed Versions:
8.4.2
2198461-1 : CVE-2025-64718: Security Vulnerability in js-yaml
Component: REST Framework and TMOS Platform
Symptoms:
The vulnerability in the js-yaml before 4.1.1 and 3.14.2 library could allow attackers to inject malicious YAML content via crafted input, leading to potential code execution or denial of service (DoS)
Conditions:
NA
Impact:
Disrupt service availability (DoS), or gain unauthorized access.
Workaround:
NA
Fix:
It is fixed in BIG-IQ 8.4.2
Fixed Versions:
8.4.2
2198385-1 : CVE-2025-5889: Vulnerability in brace-expansion
Component: REST Framework and TMOS Platform
Symptoms:
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.
Conditions:
NA
Impact:
Could lead to arbitrary code execution, compromising the confidentiality, integrity, and availability of the system
Workaround:
NA
Fix:
It is fixed in BIG-IQ 8.4.2
Fixed Versions:
8.4.2
2198369-1 : CVE-2022-31129 - Multiple Libraries - bigiq-analytics-ui
Links to More Info: K000157365
2198233-1 : CVE-2025-5889 - brace-expansion: juliangruber brace-expansion index.js expand redos
Component: REST Framework and TMOS Platform
Symptoms:
The vulnerability in the expand function of the brace-expansion library versions up to 1.1.11, 2.0.1, 3.0.0, and 4.0.0 involves inefficient regular expression complexity. Processing specially crafted inputs can lead to resource exhaustion, potentially resulting in Denial-of-Service (DoS).
Conditions:
NA
Impact:
May result in Denial-of-Service (DoS) caused by resource exhaustion during regex processing in the affected brace-expansion library.
Workaround:
This issue is fixed by upgrading the brace-expansion from version 1.1.11 to 1.1.12 in BIG-IQ 8.4.2.
Fix:
This issue has been fixed in BIG-IQ 8.4.2.
Fixed Versions:
8.4.2
2198065-1 : CVE-2021-41184 - jquery-ui-1.12.1.tgz - bigiq-mgmt-ui
Links to More Info: K50455702
2198053-1 : CVE-2022-31129 - moment-2.29.1.tgz - bigiq-mgmt-ui
Links to More Info: K000157365
2198049-1 : CVE-2022-31160 - jquery-ui-1.12.1.tgz - bigiq-mgmt-ui
Links to More Info: K000134507
2197965-1 : CVE-2025-64718 js-yaml vulnerability
Component: REST Framework and TMOS Platform
Symptoms:
js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).
Conditions:
NA
Impact:
Impacts data integrity.
Workaround:
NA
Fix:
This issue has been fixed in BIG-IQ 8.4.2.
Fixed Versions:
8.4.2
2197085-1 : CVE-2022-41862 postgresql: Client memory disclosure when connecting with Kerberos to modified server
Component: REST Framework and TMOS Platform
Symptoms:
In PostgreSQL, a modified, unauthenticated server can send an unterminated string during the establishment of Kerberos transport encryption. In certain conditions a server can cause a libpq client to over-read and report an error message containing uninitialized bytes.
Conditions:
This issue occurs when the PostgreSQL libpq client library is used, Kerberos transport encryption is enabled, and the client connects to a modified server.
Impact:
Disclosure of sensitive client memory in error messages and potential exploitation of uninitialized data by malicious servers.
Workaround:
NA
Fix:
The issue is resolved by upgrading PostgreSQL to version 15.17 in BIG-IQ 8.4.2.
Fixed Versions:
8.4.2
2186153-5 : CVE-2025-8194 cpython: Cpython infinite loop when parsing a tarfile
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was found in the Python tarfile module. Processing a specially crafted tar archive, specifically an archive with negative offsets, can cause an infinite loop and deadlock. This issue results in a denial of service in the Python application using the tarfile module.
Conditions:
The application uses the Python tarfile module to process an attacker-supplied malicious tar archive containing negative offsets.
Impact:
It can cause an infinite loop leading to application hang or denial of service.
Workaround:
Update to a patched Python version and avoid processing untrusted tar archives, or validate archives before extraction
Fix:
Upgrade to a Python version that includes the tarfile module fix for this issue.
Fixed Versions:
8.4.2
2162989 : BIG-IQ CM is unable to request full cert bundle from Venafi
Component: REST Framework and TMOS Platform
Symptoms:
Currently, when BIG-IQ sends the certificate retrieval request to Venafi, it does not send 'includeChain=true'. Thus, BIG-IQ does not get the full chain bundle of certs(leaf, intermediate, root). BIG-IQ gets only the leaf cert, and the leaf cert is imported into BIG-IQ.
Conditions:
This occurs when BIG-IQ creates the Venafi-signed certificate and retrieves the certificate from Venafi.
Impact:
BIG-IQ has the leaf certificate only instead of the full bundle(leaf, intermediate, root), and the same is deployed to BIG-IP ssl profiles. When the completed bundle is not available, ssl hand sake fails.
Fix:
Now BIG-IQ is able to retrieve the full bundle(leaf, intermediate, root) from Venafi and is able to deploy on BIG-IP.
2149233-6 : TMM crashes when using SSL
Links to More Info: K000158082, BT2149233
Component: REST Framework and TMOS Platform
Symptoms:
Under certain SSL condition, TMM crashes.
Conditions:
When SSL is configured
Impact:
Traffic is disrupted.
Fix:
TMM working properly now.
2141245-4 : Undisclosed traffic to TMM can lead to resource exhaustion
Component: REST Framework and TMOS Platform
Symptoms:
Certain traffic sent to TMM is leading to resource exhaustion.
Conditions:
Undisclosed conditions
Impact:
TMM Resource exhaustion
Fix:
DNS LDNS API correction.
2140909 : BIG-IQ: Enable F5 Trusted CA store avoid CA pinning
Links to More Info: BT2140909
Component: REST Framework and TMOS Platform
Symptoms:
F5 products can only successfully connect to web services with Entrust SSL certificates, and Entrust has ceased CA operations.
Conditions:
The file /config/ssl/ssl.crt/f5-ca-bundle.crt contains only a single Entrust Root CA certificate.
Impact:
F5 devices are not able to download the blended CA bundle.
Workaround:
Manually upgrade f5-ca-bundle.crt, follow this KB article for detailed steps https://my.f5.com/manage/s/article/K000157916
Fix:
Updated the f5-ca-bundle.crt in BIG-IQ v8.4.1
Fixed Versions:
8.3.0
2140641-6 : CVE-2025-40778: Bind Vulnerability
Links to More Info: K000157334
2140621-5 : CVE-2025-8677: Resource exhaustion via malformed DNSKEY handling
Links to More Info: K000157317, BT2140621
2139221 : Incorrect link reference to the internal F5 licensing service when activating BIG-IQ license
Links to More Info: BT2139221
Component: BIG-IQ Device Management
Symptoms:
When attempting to activate a BIG-IQ license, the system provides a link to the internal F5 licensing service, which is not externally accessible. This prevents users from completing the license activation process using the provided link.
Conditions:
BIG-IQ is unlicensed.
Attempting to activate a license.
The licensing workflow references the internal F5 licensing service.
Impact:
Users are unable to complete license activation through the web UI because of the inaccessible internal licensing service link.
Workaround:
When activating a BIG-IQ license and encountering an incorrect link to the internal F5 licensing service, users can bypass the issue by manually entering or editing the Registration Key (RBK) or Base Registration Key (BRK) in the license activation workflow.
Fix:
The license activation workflow now references the correct licensing service, enabling users to complete license activation as expected.
Fixed Versions:
8.4.2
2137581-9 : TMM core may occur under certain conditions
Links to More Info: K000158978, BT2137581
2131233-3 : ADM not functioning properly
Links to More Info: K000158979, BT2131233
2130601-5 : TMUI Request Processing Improvement
Links to More Info: K000156761, BT2130601
2113093-2 : CVE-2021-3393: Partition constraint violation errors leak values of denied columns
Links to More Info: K000149073
2078425-2 : BIG-IQ Request Handling Improvements
Links to More Info: K000158029
2053165-1 : CVE-2025-47268 iputils: Signed Integer Overflow in Timestamp Multiplication in iputils ping
Links to More Info: K000158112, BT2053165
2046917 : Non-essential services (hwpd, ipsd, updated) show as "normally up" on BIG-IQ
Links to More Info: BT2046917
Component: REST Framework and TMOS Platform
Symptoms:
On BIG-IQ systems, the services hwpd, ipsd, and updated appear as 'down, normally up' in the service status output, even though they are not necessary for BIG-IQ operation.
Conditions:
Running BIG-IQ (e.g., version 8.4.0).
Viewing service status via CLI (e.g., bigstart status | grep -i "ipsd\|updated\|hwpd").
The hwpd, ipsd, and updated services are not provisioned or utilized by BIG-IQ.
Impact:
This may cause confusion for administrators, as these services are reported as 'down, normally up,' suggesting a problem, even though they are not required for BIG-IQ and their status does not impact system operation.
Workaround:
NA
Fix:
The status output for hwpd, ipsd, and updated will be modified to display 'Not provisioned' on BIG-IQ systems where these services are not needed.
Fixed Versions:
8.4.2
2014237-2 : CVE-2022-29154: rsync client path validation issue may allow overwrite of arbitrary files in target directory
Component: REST Framework and TMOS Platform
Symptoms:
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file).
Conditions:
NA
Impact:
Potential overwrite of arbitrary files within the rsync target directory tree, which may lead to further exploitation.
Workaround:
NA
Fix:
This issue is addressed by the rsync update/patch included with the associated TMOS fix (see internal BIG-IP bug 1937381 and patch attachment 253673).
2013225-2 : CVE-2021-34798: Apache HTTP Server NULL pointer dereference via malformed requests (availability/DoS)
Links to More Info: K72382141
1988937-2 : Inability to overwrite an existing cert bundle due to excessive calls to certificate-management
Component: BIG-IQ Local Traffic & Management
Symptoms:
Unable to Overwrite Certificate Bundle.
Conditions:
Importing a Certificate by "Overwriting Existing" option.
Impact:
Fails to update or overwrite the Certificate Bundle.
Workaround:
None.
Fix:
Certificate bundle is now overwritten as expected.
1983321-4 : CVE-2025-48976 apache-commons-fileupload: Apache Commons FileUpload DoS via part headers
Links to More Info: K000152614, BT1983321
1971593-6 : CVE-2023-2455 & CVE-2024-7348 PostgreSQL Vulnerabilities
Links to More Info: K000152931
1967025-5 : Improved Permission Handling in REST SNMP Endpoint and TMSH
Links to More Info: K000156581, BT1967025
1966849-7 : CVE-2023-5869 postgresql: Buffer overrun from integer overflow in array modification
Links to More Info: K000152931, BT1966849
1966841-7 : CVE-2023-39417 postgresql: extension script @substitutions@ within quoting allow SQL injection
Links to More Info: K000152931, BT1966841
1966793-8 : CVE-2023-2455 postgresql: row security policies disregard user ID changes after inlining.
Links to More Info: K000152931
1966785-7 : CVE-2023-2454 postgresql: schema_element defeats protective search_path changes
Links to More Info: K000152931, BT1966785
1928545 : Postgres CVE-2020-14349: An uncontrolled search path element vulnerability in logical replication.
Links to More Info: K000150943
1928541 : CVE-2019-10164 - PostgreSQL Stack-Based Buffer Overflow via Password Change
Links to More Info: K000150943
1925461-11 : CVE-2016-2053 Linux Kernel Vulnerability
Component: REST Framework and TMOS Platform
Symptoms:
The asn1_ber_decoder function in lib/asn1_decoder.c in the Linux kernel before 4.3 allows attackers to cause a denial of service (panic) via an ASN.1 BER file that lacks a public key, leading to mishandling by the public_key_verify_signature function in crypto/asymmetric_keys/public_key.c.
Conditions:
NA
Impact:
It can lead to DoS and will compromise system availability.
Workaround:
NA
Fix:
DoS issue has been resolved.
1923997-9 : CVE-2023-1668-openvswitch: ip proto 0 triggers incorrect handling
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.
Conditions:
NA
Impact:
It can cause incorrect handling or misrouting of other IP packets, potentially leading to traffic disruption or denial of service.
Workaround:
NA
Fix:
The denial of service issue has been resolved in the package.
1923817-8 : CVE-2017-11499: Constant Hashtable Seeds vulnerability (NodeJS v6.9.1)
Component: REST Framework and TMOS Platform
Symptoms:
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.
Conditions:
NA
Impact:
It can cause high CPU usage and event loop blocking, leading to a remote denial of service.
Workaround:
NA
Fix:
Hash flooding remote DoS issue has been resolved in the package.
1923657-9 : CVE-2022-41858 kernel: null-ptr-deref vulnerabilities in sl_tx_timeout in drivers/net/slip
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was found in the Linux kernel. A NULL pointer dereference may occur while a slip driver is in progress to detach in sl_tx_timeout in drivers/net/slip/slip.c. This issue could allow an attacker to crash the system or leak internal kernel information.
Conditions:
A vulnerable Linux kernel where the SLIP network driver is enabled and a detach operation occurs during sl_tx_timeout().
Impact:
It can trigger a kernel crash (denial of service) and potentially leak kernel memory information.
Workaround:
Upgrade to a Linux kernel version that includes the SLIP driver fix or disable the SLIP driver if it is not required.
Fix:
patch has been applied
Fixed Versions:
8.4.2
1921553-2 : Re-import LTM service with log filter fail with error "Failed copying from source to target: java.lang.RuntimeException: not authenticated"
Component: BIG-IQ Local Traffic & Management
Symptoms:
Re-import fails with the error for LTM service.
Conditions:
After modifying LTM object on BIG-IQ and then triggering a rediscover/re-import, rediscover will succeed but re-import will fail. When prompted with "Resolve Import Conflicts" pop-up window, selecting BIG-IP to replace changes on BIG-IQ, the re-import task will commence but eventually fail.
Impact:
Re-import fails with error.
Workaround:
None.
Fix:
Re-import is now working properly.
1921301 : PostgreSQL Memory Disclosure Vulnerabilities
Links to More Info: K000150746
1893369-10 : CVE-2021-33033 kernel: use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c
Component: REST Framework and TMOS Platform
Symptoms:
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
Conditions:
NA
Impact:
It can either lead to a DOS or cause arbitrary write on the system.
Workaround:
NA
Fix:
The DOS and arbitrary write issue has been resolved in the kernel.
Fixed Versions:
8.4.2
1858553-2 : PostgreSQL vulnerability CVE-2021-32027
Links to More Info: K000151082
1814405-2 : CVE-2024-11187- Bind Vulnerability
Links to More Info: K000150814
1753617-8 : CVE-2023-24621 Untrusted Polymorphic Deserialization to Java Classes
Component: REST Framework and TMOS Platform
Symptoms:
It allows untrusted deserialisation to Java classes by default, where the data and class are controlled by the author of the YAML document being processed.
Conditions:
yamlbeans versions before 1.15 are vulnerable
Impact:
It can result in remote code execution (RCE) or denial of service.
Workaround:
N/A
Fix:
yamlbeans has been patched to address this vulnerability.
1692917-4 : CVE-2024-6232 CPython Tarfile vulnerability
Links to More Info: K000148252, BT1692917
1678793-8 : CVE-2019-14863 angular: Cross-site Scripting (XSS) due to no proper sanitization of xlink:href attributes
Links to More Info: K000141459, BT1678793
1678777-9 : CVE-2022-25869 angular.js : insecure page caching in the browser, which allows interpolation of <textarea> elements.
Links to More Info: K000141459, BT1678777
1678769-8 : CVE-2023-26116 angularjs: Regular Expression Denial of Service via angular.copy()
Links to More Info: K000141463, BT1678769
1673161-5 : CVE-2023-45853 zlib: integer overflow and resultant heap-based buffer overflow in zipOpenNewFileInZip4_6
Links to More Info: K000149884, BT1673161
1623197-4 : CVE-2024-37891 urllib3: proxy-authorization request header is not stripped during cross-origin redirects
Links to More Info: K000140711, BT1623197
1620285 : CVE-2024-38477 Apache HTTPD vulnerability
Links to More Info: K000140784
1589661-4 : CVE-2019-3860 libssh2: Out-of-bounds reads with specially crafted SFTP packets
Links to More Info: K000149288, BT1589661
1589645-4 : CVE-2019-3859 libssh2: Unchecked use of _libssh2_packet_require and _libssh2_packet_requirev resulting in out-of-bounds read
Links to More Info: K000149288, BT1589645
1589489-1 : libssh Vulnerability CVE-2019-3858
Links to More Info: K000148713
1586537-8 : CVE-2024-0985 postgresql: non-owner 'REFRESH MATERIALIZED VIEW CONCURRENTLY' executes arbitrary SQL
Links to More Info: K000140188, BT1586537
1566997-1 : CVE-2016-10349 libarchive: Heap-based buffer over-read in the archive_le32dec function
Links to More Info: K000148259, BT1566997
1566533-6 : CVE-2017-18342 PyYAML: yaml.load() API could execute arbitrary code
Links to More Info: K000139901, BT1566533
1561689-1 : CVE-2016-10350 libarchive: Heap-based buffer over-read in the archive_read_format_cab_read_header function
Links to More Info: K000148259, BT1561689
1517561-4 : CVE-2023-28484 libxml2: NULL dereference in xmlSchemaFixupComplexType
Links to More Info: K000139641, BT1517561
1474757-4 : CVE-2023-51385 openssh: potential command injection via shell metacharacters
Links to More Info: K000138827, BT1474757
1470177-5 : CVE-2023-46218 curl: information disclosure by exploiting a mixed case flaw
Links to More Info: K000138650, BT1470177
1450181-2 : Improved Permission Handling in REST SNMP Endpoint and TMSH
Links to More Info: K000156581, BT1450181
1429861-10 : CVE-2019-5737: HTTP or HTTPS Denial of Service in keep-alive mode (NodeJS v6)
Component: REST Framework and TMOS Platform
Symptoms:
It was found that the original fix for Slowloris, CVE-2018-12122, was insufficient. It is possible to bypass the server's headersTimeout by sending two specially crafted HTTP requests in the same connection. An attacker could use this flaw to bypass Slowloris protection, resulting in a denial of service.
Conditions:
The server runs a vulnerable Node.js HTTP implementation and accepts persistent connections where an attacker can send two specially crafted HTTP requests on the same connection to bypass headersTimeout.
Impact:
An attacker can bypass Slowloris protections and cause a denial of service by exhausting server connections.
Workaround:
Upgrade to a Node.js version that includes the corrected Slowloris fix and enforce strict request timeouts and connection limits.
Fix:
Upgrade to a Node.js version with the updated Slowloris fix and enforce strict request timeout and connection limits.
Fixed Versions:
8.4.2
1407837-1 : libssh2 vulnerability CVE-2020-22218
Links to More Info: K000138219, BT1407837
1393733-6 : CVE-2022-43750 kernel: memory corruption in usbmon driver
Links to More Info: K000139700, BT1393733
1366025-15 : A particular HTTP/2 sequence may cause high CPU utilization.
Links to More Info: K000137106, BT1366025
1330801-7 : NodeJS Vulnerability CVE-2018-12123, CVE-2018-12121, CVE-2018-12122
Links to More Info: K000137090, BT1330801
1330721-7 : Node.js vulnerabilities CVE-2018-7167, CVE-2018-12115, and CVE-2018-12116
Links to More Info: K000137093, BT1330721
1327169-6 : CVE-2023-24329 python: urllib.parse url blocklisting bypass
Links to More Info: K000135921, BT1327169
1324085-11 : Multiple OpenSSL Vulnerabilities
Links to More Info: K000137969, BT1324085
1304081-1 : CVE-2023-2650 openssl: Possible DoS translating ASN.1 object identifiers
Links to More Info: K000135178, BT1304081
1271341-8 : Unable to use DTLS without TMM crashing
Links to More Info: K000160901, BT1271341
1270257-7 : CVE-2023-0662 php: DoS vulnerability when parsing multipart request body
Links to More Info: K000133753, BT1270257
1266853-11 : CVE-2023-24998 Apache Commons FileUpload: FileUpload DoS with excessive parts
Links to More Info: K000133052, BT1266853
1173825-5 : Improper sanitisation in Qkview data
Links to More Info: K000157895, BT1173825
1167897-10 : [CVE-2022-40674] - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c
1144421-1 : CVE-2019-14866 cpio: improper input validation when writing tar header fields leads to unexpected tar generation
Component: REST Framework and TMOS Platform
Symptoms:
cpio does not properly validate the values written in the header of a TAR file through the to_oct() function. When creating a TAR file from a list of files and one of those is another TAR file with a big size, cpio will generate the resulting file with the content extracted from the input one. This leads to unexpected results as the newly generated TAR file could have files with permissions the owner of the input TAR file did not have or in paths he did not have access to.
Conditions:
Occurs when creating tar archives with unvalidated or specially crafted input filenames.
Impact:
This vulnerability may generate malformed tar files, leading to interoperability issues or unexpected behavior in downstream tools.
Workaround:
NA
Fix:
Patched python to fix the vulnerability.
1099369-6 : CVE-2018-25032 [NodeJS]zlib: A flaw found in zlib, when compressing (not decompressing!) certain inputs.
1099365-6 : CVE-2018-25032 [NodeJS]zlib: A flaw found in zlib, when compressing (not decompressing!) certain inputs.
Links to More Info: K21548854
1093933-6 : CVE-2020-7774 nodejs-y18n prototype pollution vulnerability
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was found in nodejs-y18n. There is a prototype pollution vulnerability in y18n's locale functionality. If an attacker is able to provide untrusted input via locale, they may be able to cause denial of service or in rare circumstances, impact to data integrity or confidentiality.
Conditions:
N/A
Impact:
Denial of service or in rare circumstances, impact to data integrity or confidentiality
Workaround:
N/A
Fix:
The library has been patched to address the vulnerability.
1089233-6 : CVE-2022-0492 Linux kernel vulnerability
Links to More Info: K54724312
1088445-10 : CVE-2022-22720 httpd: HTTP request smuggling vulnerability when it fails to discard the request body
1069949-5 : CVE-2018-1000007 curl: HTTP authentication leak in redirects
Component: REST Framework and TMOS Platform
Symptoms:
libcurl might accidentally leak authentication data to third parties.
When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value.
Sending the same set of headers to subsequent hosts is, in particular, a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy-sensitive information or data that could allow others to impersonate the libcurl-using client's request.
Conditions:
NA
Impact:
Sensitive information could be disclosed to an unauthorised user
Workaround:
NA
Fix:
Patched curl to fix the vulnerability.
1061969-24 : Postgresql package upgrade to 15.0 version
Links to More Info: K000149329, BT1061969
1061485-7 : CVE-2019-19527: Linux kernel vulnerability
Component: REST Framework and TMOS Platform
Symptoms:
A vulnerability was found in hiddev_open in drivers/hid/usbhid/hiddev.c in the USB Human Interface Device class subsystem, where an existing device must be validated prior to its access. The device should also ensure the hiddev_list cleanup occurs at failure, as this may lead to a use-after-free problem, or possibly escalate privileges to an unauthorized user.
Conditions:
NA
Impact:
Unauthorised access to BIGIP device
Workaround:
NA
Fix:
Patched kernel to fix the vulnerability.
1059229-1 : CVE-2019-16994 kernel: Memory leak in sit_init_net() in net/ipv6/sit.c
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was found in the way the sit_init_net function in the Linux kernel handled resource cleanup on errors. This flaw allows an attacker to use the error conditions to crash the system.
Conditions:
Linux kernel versions before 5.0
Impact:
It can result in DoS.
Workaround:
N/A
Fix:
kernel has been patched to address this vulnerability.
1058701 : CVE-2021-25219 : BIND exploitation of broken authoritative servers
Links to More Info: K77326807
1058197-7 : CVE-2019-14973: LibTIFF Vulnerability
Links to More Info: K000157984, BT1058197
1057141-1 : CVE-2018-14647 python: Missing salt initialization in _elementtree.c module
Links to More Info: K000151007, BT1057141
1052477-8 : CVE-2020-10751 kernel: SELinux netlink permission check bypass
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was found in the Linux kernel SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing.
Conditions:
NA
Impact:
A local attacker could bypass SELinux restrictions, potentially leading to unauthorized access, privilege escalation, or, in some scenarios, a system crash (denial of service).
Workaround:
NA
Fix:
Applied patch to fix the CVE
Fixed Versions:
8.4.2
1052437-1 : CVE-2019-19532 kernel: malicious USB devices can lead to multiple out-of-bounds write
Component: REST Framework and TMOS Platform
Symptoms:
In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.
Conditions:
NA
Impact:
In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.
Workaround:
NA
Fix:
Patched kernel to fix this vulnerability
1052433-1 : CVE-2019-19530: use-after-free caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver
Component: REST Framework and TMOS Platform
Symptoms:
use-after-free flaw was found in the acm_probe USB subsystem in the Linux kernel. A race condition occurs when a destroy() procedure is initiated allowing the refcount to decrement on the interface so early that it is never undercounted. A malicious USB device is required for exploitation. System availability is the largest threat from the vulnerability, however, data integrity and confidentiality are also threatened.
Conditions:
NA
Impact:
A malicious USB device is required for exploitation. System availability is the largest threat from the vulnerability, however, data integrity and confidentiality are also threatened.
Workaround:
NA
Fix:
Patched kernel to fix this vulnerability
1052333-12 : CVE-2018-16885: Linux kernel vulnerability
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was found in the Linux kernel that allows the userspace to call memcpy_fromiovecend() and similar functions with a zero offset and buffer length. This can cause a read beyond the buffer boundaries flaw and, in certain cases, cause a memory access fault and a system halt by accessing an invalid memory address.
Conditions:
NA
Impact:
This can cause a read beyond the buffer boundaries flaw.
Workaround:
NA
Fix:
Patched kernel to fix the vulnerability.
1052253-12 : CVE-2018-13095 kernel: NULL pointer dereference in fs/xfs/libxfs/xfs_inode_buf.c
Component: REST Framework and TMOS Platform
Symptoms:
An issue was discovered in fs/xfs/libxfs/xfs_inode_buf.c in the Linux kernel through 4.17.3. A denial of service (memory corruption and BUG) can occur for a corrupted xfs image upon encountering an inode that is in extent format, but has more extents than fit in the inode fork.
Conditions:
Linux kernel version up to including 4.17.3 is vulnerable to this CVE.
Impact:
Exploitation of the vulnerability could cause the system to become unavailable (DoS).
Workaround:
NA
Fix:
Patched kernel to fix the vulnerability.
1052249-11 : CVE-2018-13094 kernel: NULL pointer dereference in xfs_da_shrink_inode function
Component: REST Framework and TMOS Platform
Symptoms:
An issue was discovered in the XFS filesystem in fs/xfs/libxfs/xfs_attr_leaf.c in the Linux kernel. A NULL pointer dereference may occur for a corrupted xfs image after xfs_da_shrink_inode() is called with a NULL bp. This can lead to a system crash and a denial of service.
Conditions:
NA
Impact:
Exploitation of the vulnerability could cause the system to become unavailable (DoS).
Workaround:
Limit physical or local access to the system
Fix:
Patched kernel to fix the vulnerability.
1052245-6 : CVE-2018-13093 kernel: NULL pointer dereference in lookup_slow function
Component: REST Framework and TMOS Platform
Symptoms:
An issue was discovered in the XFS filesystem in fs/xfs/xfs_icache.c in the Linux kernel. There is a NULL pointer dereference leading to a system panic in lookup_slow() on a NULL inode->i_ops pointer when doing path walks on a corrupted xfs image. This occurs because of a lack of proper validation that cached inodes are free during an allocation.
Conditions:
Linux kernel versions before 4.17.3 are vulnerable
Impact:
It can result in DoS.
Workaround:
N/A
Fix:
kernel has been patched to address this vulnerability.
1052217-11 : CVE-2018-19985 kernel: oob memory read in hso_probe in drivers/net/usb/hso.c
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was found in the Linux kernel in the function hso_probe() which reads if_num value from the USB device (as an u8) and uses it without a length check to index an array, resulting in an OOB memory read in hso_probe() or hso_get_config_data(). An attacker with forged USB device with a physical access to a system (needed to connect such a device) can cause a system crash and a denial-of-service.
Conditions:
NA
Impact:
The primary impact of this vulnerability is a denial-of-service (DoS) due to the kernel crash
Workaround:
NA
Fix:
Patched kernel to fix the vulnerability.
1051869-6 : CVE-2018-20169: Linux kernel vulnerability
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was discovered in the Linux kernel's USB subsystem in the __usb_get_extra_descriptor() function in the drivers/usb/core/usb.c which mishandles a size check during the reading of an extra descriptor data. By using a specially crafted USB device which sends a forged extra descriptor, an unprivileged user with physical access to the system can potentially cause a privilege escalation or trigger a system crash or lock up and thus to cause a denial of service (DoS).
Conditions:
NA
Impact:
Unauthorized access to sensitive information, Unauthorized modification or corruption of data
Workaround:
Limit access to the affected systems to trusted networks or users.
Fix:
Patched kernel to fix the vulnerability.
1051769-5 : CVE-2019-10140 kernel: overlayfs: NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c
Component: REST Framework and TMOS Platform
Symptoms:
An attacker with local access can create a denial of service situation via a NULL pointer dereference in ovl_posix_acl_create function in fs/overlayfs/dir.c. This can allow attackers with the ability to create directories on overlayfs to crash the kernel creating a denial of service (DOS).
Conditions:
Linux kernel versions before 3.10 are vulnerable
Impact:
It can result in DoS.
Workaround:
N/A
Fix:
kernel has been patched to address this vulnerability.
1051697-8 : CVE-2019-11833 kernel: fs/ext4/extents.c leads to information disclosure
Component: REST Framework and TMOS Platform
Symptoms:
A flaw was found in the Linux kernels implementation of ext4 extent management which did not correctly initialize memory regions in the extent tree block which may be exported to a local user to obtain sensitive information by reading empty/uninitialized data from the filesystem.
Conditions:
Linux kernel versions before 5.1.2 are vulnerable
Impact:
It can result in information disclosure
Workaround:
N/A
Fix:
kernel has been patched to address this vulnerability.
1038149 : WS-2019-0063
Component: BIG-IQ System User Interface
Symptoms:
Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.
Conditions:
This issue is only exploitable if the product uses js-yaml < 3.13.1 and parses attacker-controlled YAML using the load() API. If YAML is not coming from an untrusted external source (or if safeLoad() is used), then there is no practical exploit path.
Impact:
If an application uses js-yaml < 3.13.1 and parses attacker-controlled input with the unsafe load() API, an attacker can achieve arbitrary code execution in the process—leading to data theft, service disruption, privilege escalation or lateral movement.
Workaround:
Upgrade js-yaml to version 3.13.1 or later
Fix:
Upgrade js-yaml to version 3.13.1 or later
Fixed Versions:
8.3.0
Known Issues in BIG-IQ CM v8.4.x
BIG-IQ Local Traffic & Management Issues
| ID Number | Severity | Links to More Info | Description |
| 2292005-1 | 3-Major | Self-Signed Certificates Generated for Venafi Requests by Limited Users in BIG-IQ 8.4.0 | |
| 1935917-1 | 3-Major | BT1935917 | Non-admin users with custom permissions are unable to view certificates and keys from web UI or through iControl REST API |
| 1576437-1 | 3-Major | BT1576437 | When generating a CSR with a custom partition Venafi certificate stored in the wrong partition with 'Base64' format. |
REST Framework and TMOS Platform Issues
| ID Number | Severity | Links to More Info | Description |
| 1696741-1 | 3-Major | BT1696741 | Error: ha-quorum: Username and/or password is incorrect |
BIG-IQ Web Application Security (ASM) Issues
| ID Number | Severity | Links to More Info | Description |
| 1316593-2 | 3-Major | BT1316593 | An error occurs when importing an ASM Policy containing the same URLs but with different HTTP request methods |
BIG-IQ Application Management Issues
| ID Number | Severity | Links to More Info | Description |
| 2292537-1 | 3-Major | BT2292537 | AS3 Templates Fail to Render in BIG-IQ Applications GUI After Upgrade Due to "iRule"/"IRule" Key Change |
| 2162173-1 | 3-Major | Pool Class Displays Incorrect Values for Monitors Parameter | |
| 2162169-1 | 3-Major | Pool Class Displays Incorrect Values for Server Addresses Parameter | |
| 2162157-1 | 3-Major | Unable to set virtual server IP address when using an AS3 application template on the webUI | |
| 2162077-1 | 3-Major | Service_TCP Class Fails to Accept Integer Value for virtualPort Parameter | |
| 2144153-1 | 3-Major | The script parameter is shown for all monitor types instead of external monitor | |
| 2122841-1 | 3-Major | While creating Application Services, having a Monitor Type that is editable does not work | |
| 2122837-1 | 3-Major | Big-IQ: AS3 Templates All Monitor_ classes fail | |
| 2107121-1 | 3-Major | The environment variables are not displayed as key-value pairs for the external monitor type | |
| 2163505-1 | 4-Minor | AS3 Templates Display Unexpected Parameter Ordering in Classes |
Known Issue details for BIG-IQ CM v8.4.x
2292537-1 : AS3 Templates Fail to Render in BIG-IQ Applications GUI After Upgrade Due to "iRule"/"IRule" Key Change
Links to More Info: BT2292537
Component: BIG-IQ Application Management
Symptoms:
After upgrading BIG-IQ from 8.3.0 to 8.4.0 or 8.4.1, existing AS3 templates display only the "Tenant" field in the Applications GUI. Other parameters (such as Pool, Profile, Service, etc.) are missing and cannot be viewed or edited
Conditions:
-- BIG-IQ upgraded to version 8.4.0 or 8.4.1
-- Existing AS3 templates created with previous versions
-- The template includes an iRule class, where the definition key was "iRule" in the older schema and is now "IRule" in the latest ADC schema
-- Accessing the template via the BIG-IQ Applications GUI
Impact:
Users cannot fully render or edit existing AS3 templates in the Applications GUI, impacting application management and deployment.
Workaround:
None
2292005-1 : Self-Signed Certificates Generated for Venafi Requests by Limited Users in BIG-IQ 8.4.0
Component: BIG-IQ Local Traffic & Management
Symptoms:
When a limited-privilege user requests a certificate through the Venafi integration, BIG-IQ returns a self-signed certificate with a one-year expiration instead of a certificate signed by the internal CA that has a two-year expiration. This issue does not occur for admin users.
Conditions:
-- User is a limited-privilege (non-admin) account
-- Requesting a certificate via Venafi integration in BIG-IQ 8.4.0
Impact:
Non-admin users cannot acquire valid Venafi-signed certificates or import PKCS-12 certificates, hindering effective certificate management and automation.
Workaround:
None
2163505-1 : AS3 Templates Display Unexpected Parameter Ordering in Classes
Component: BIG-IQ Application Management
Symptoms:
The parameters are not displayed in alphabetical order for all classes
Conditions:
Modifying classes for an AS3 template
Impact:
The parameters on the page are disordered, requiring a search for each respective parameter
Workaround:
None
2162173-1 : Pool Class Displays Incorrect Values for Monitors Parameter
Component: BIG-IQ Application Management
Symptoms:
The Monitors parameter in the Pool class is displayed with Advanced Schema options through the use of bigip parameters.
Conditions:
While creating a Pool class in the AS3 template
Impact:
The Monitors parameter does not support selecting with HTTP, HTTP2 monitors, etc
Workaround:
None
2162169-1 : Pool Class Displays Incorrect Values for Server Addresses Parameter
Component: BIG-IQ Application Management
Symptoms:
The Server Addresses parameter in the Pool class is displayed with Advanced Schema options through the use of bigip parameters
Conditions:
While creating a Pool class in the AS3 template
Impact:
The Server Addresses parameter does not support adding IP addresses
Workaround:
None
2162157-1 : Unable to set virtual server IP address when using an AS3 application template on the webUI
Component: BIG-IQ Application Management
Symptoms:
Only advanced schema inputs are shown for virtual address.
Conditions:
BIG-IQ v8.4.0 using AS3 application template.
Impact:
Unable to set a new IP address for virtual servers, when trying to deploy an application using BIG-IQ AS3 application templates.
Workaround:
- An EHF is available containing the fix for this issue.
- AS3 on BIG-IQ may also be downgraded to versions pre-v3.54.0 (eg. v3.41.0).
2162077-1 : Service_TCP Class Fails to Accept Integer Value for virtualPort Parameter
Component: BIG-IQ Application Management
Symptoms:
The virtualPort parameter supports advanced schema options for both use and bigip parameters
Conditions:
While creating the Service_TCP class in the AS3 template
Impact:
The virtualPort parameter is missing with integer value support
Workaround:
None
2144153-1 : The script parameter is shown for all monitor types instead of external monitor
Component: BIG-IQ Application Management
Symptoms:
The script parameter is displayed for all monitor types by default, even though it is intended to be displayed for External Monitor type.
Conditions:
Adding a Monitor Class of any monitor type.
Impact:
Displays the script parameter for unsupported monitor types.
Workaround:
None.
2122841-1 : While creating Application Services, having a Monitor Type that is editable does not work
Component: BIG-IQ Application Management
Symptoms:
When the Monitor Type is marked as editable in an Application Template, changing the Monitor Type during Application Service creation does not function by showing the respective Monitor Type definitions.
Conditions:
Monitor Type set as editable in the template and creating an Application Service using the published template.
Impact:
Monitor Type that is editable does not work during creation of application services.
Workaround:
None.
2122837-1 : Big-IQ: AS3 Templates All Monitor_ classes fail
Component: BIG-IQ Application Management
Symptoms:
Monitor_ Classes are visible in the webUI, which are definitions of Monitor Class based on monitorType.
Conditions:
Modifying Classes for an AS3 template.
Impact:
Add/Remove Classes dropdown displays "Monitor_" Classes along with the Monitor Class.
Workaround:
None.
2107121-1 : The environment variables are not displayed as key-value pairs for the external monitor type
Component: BIG-IQ Application Management
Symptoms:
When using the external monitor type, environment variables are not displayed as key-value pairs. Instead, they are shown in a single text field where values must be entered as a string.
Conditions:
Using the external monitor type in the application template and editing environment variables in the template containing Monitor class.
Impact:
Environment variables cannot be edited in the standard key-value pair format for external monitors.
Workaround:
None.
1935917-1 : Non-admin users with custom permissions are unable to view certificates and keys from web UI or through iControl REST API
Links to More Info: BT1935917
Component: BIG-IQ Local Traffic & Management
Symptoms:
- Certs and keys were previously visible for the affected user on a version pre-v8.4.0.
- Non-admin users with correct permissions are unable to view the list of certs and keys from the UI or through iControl REST API.
- Executing the following command for the affected user (eg. 'f5testuser') returns an empty set:
curl -su 'f5testuser' http://localhost:8100/mgmt/cm/adc-core/working-config/sys/file/ssl-cert | jq .
Enter host password for user 'f5testuser':
{
"items": [],
"generation": 2,
"lastUpdateMicros": 1755557580126930,
"kind": "cm:adc-core:working-config:sys:file:ssl-cert:adcsslcertcollectionstate",
"selfLink": "https://localhost/mgmt/cm/adc-core/working-config/sys/file/ssl-cert"
}
Conditions:
- BIG-IQ running on v8.4.0
Impact:
Non-admin users with custom permissions are unable to manage certificates/keys through the UI or through iControl REST API.
Workaround:
There is no workaround. Install an EHF containing the fix for ID1935917 on v8.4.0 to address this issue.
1696741-1 : Error: ha-quorum: Username and/or password is incorrect
Links to More Info: BT1696741
Component: REST Framework and TMOS Platform
Symptoms:
Setting up automatic HA failover returns an error similar to the following:
An error occurred while adding the BIG-IQ: Error: ha-secondary: Username and/or password is incorrect Error: ha-quorum: Username and/or password is incorrect Error: ha-primary: Username and/or password is incorrect
Restjavad log on primary CM would have an entry similar to the following:
[WARN][01 Jan 2024 01:00:00 UTC][/shared/ha/add-peer-task/abcdefgh-1234-abcd-1234-abcdefghijkl/worker AddPeerTaskWorker] [/bin/bash, -c, /usr/bin/ha_corosync_config.sh -p <primary_discovery_ip> -s <secondary_discovery_ip> -q <quorum_discovery_ip> -r primary -a <floating_ip> -m] failed with exit code 1, stdout: haclient:x:189:hacluster, stderr: Error: ha-quorum: Username and/or password is incorrect
Error: ha-secondary: Username and/or password is incorrect
Error: ha-primary: Username and/or password is incorrect
Conditions:
- BIG-IQ CMs and DCD (Quorum) are configured to remotely authenticate (eg. TACACS+) users for CLI access.
Impact:
The user 'hacluster' could not be authenticated remotely, hence the HA autofailover setup task fails.
Workaround:
If the issue has already occurred, the cluster would need to be rebuilt by running the following on the primary and secondary CMs and on DCDs:
ha_reset -f <device local discovery IP>
reset-data-collection-cluster
Add 'hacluster' user in the CMs and Quorum DCD's /config/bigip/auth/localusers. Note that this will not survive reboots.
Add at least one DCD into the cluster that will be used as quorum device, then configure the autofailover HA.
Use the guide in https://my.f5.com/manage/s/article/K11948 for creating a script that would add hacluster user into /config/bigip/auth/localusers everytime that the CMs and Quorum device reboot.
1576437-1 : When generating a CSR with a custom partition Venafi certificate stored in the wrong partition with 'Base64' format.
Links to More Info: BT1576437
Component: BIG-IQ Local Traffic & Management
Symptoms:
Venafi certificate is stored in the wrong partition when generating a CSR with a custom partition.
Conditions:
When generating a CSR with a custom partition in 'Base64' format.
Impact:
Venafi certificate is stored in the wrong partition
Workaround:
None
1316593-2 : An error occurs when importing an ASM Policy containing the same URLs but with different HTTP request methods
Links to More Info: BT1316593
Component: BIG-IQ Web Application Security (ASM)
Symptoms:
BIG-IQ restjavad log file would show an error similar to the following when importing configuration from a BIG-IP ASM device:
[/cm/asm/tasks/discover-config/4e3b4176-308e-4591-8468-4ef9719efdc2/worker AsmDiscoveryTaskWorker] Error while creating 'ASM Policy - Url' 'null' in current-config: http://localhost:8100/cm/asm/current-config/policies/343a57d0-1c6f-36f0-b0a9-fb4647bbe1d5/urls, and while creating 'ASM Policy - Url' 'null' in current-config: http://localhost:8100/cm/asm/current-config/policies/343a57d0-1c6f-36f0-b0a9-fb4647bbe1d5/urls, and while creating 'ASM Policy - Url' 'null' in current-config: http://localhost:8100/cm/asm/current-config/policies/343a57d0-1c6f-36f0-b0a9-fb4647bbe1d5/urls, and while creating 'ASM Policy - Url' 'null' in current-config: http://localhost:8100/cm/asm/current-config/policies/343a57d0-1c6f-36f0-b0a9-fb4647bbe1d5/urls : java.lang.IllegalArgumentException: Duplicate item. Key already exists: protocol : http, name : /test/duplicateUrl
In this example, inspecting the affected ASM policy from the BIG-IP ASM that is being imported should reveal that one of the affected URLs would have multiple allowed URL entries for "/test/duplicateUrl", but those entries would have different HTTP request methods.
Conditions:
- Multiple entries in the ASM policy for the same URL but with different HTTP request methods.
Impact:
Unable to import ASM policy configuration from the BIG-IP ASM device.
Workaround:
The feature for having multiple entries for the same allowed URLs having different HTTP request methods is not yet implemented for BIG-IQ v8.3.0.
Avoid using multiple entries for the same allowed URLs.
If the feature is absolutely necessary, install an EHF for ID1316593.
For additional support resources and technical documentation, see:
- The F5 Technical Support website: http://www.f5.com/support/
- The MyF5 website: https://my.f5.com/manage/s/
- The F5 DevCentral website: http://community.f5.com/