2130349 : Older BIG-IP image import fails with signature verification

Component: F5OS-A

Symptoms:
The TMOS tenant images prior to certificate rotation fail to verify the signature.

An error is logged:
appliance-1.chassis.local image-agent[14]: priority="Err" version=1.0 msgid=0x2002000000000010 msg="Failed to verify image signature. Removed." IMAGE="<image>.tar.bundle" FAILURE="signature".

Conditions:
Importing a BIG-IP tenant image that was released prior to certificates being rotated.

Impact:
You can't import the image. But images that were imported before the F5OS-A upgrade continue to work.

Workaround:
Import a BIG-IP tenant image which has had its certificates rotated.

Fix:
Updated the F5OS-A image verification to successfully verifies the TMOS tenant images contain certificate rotation.

2078301-1 : dagd may crash if a malicious message is sent from the tenant

Links to More Info: K000156796, BT2078301

2063565-2 : CVE-2022-23219: glibc: Stack-based buffer overflow in sunrpc clnt_create via a long pathname

Links to More Info: K52308021

2063545-2 : CVE-2022-23218: glibc: Stack-based buffer overflow in svcunix_create via long pathnames

Links to More Info: K52308021

2050869 : CVE-2022-41721 x/net/http2/h2c: request smuggling

Component: F5OS-A

Symptoms:
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead read the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Conditions:
NA

Impact:
Potentially leading to the server misinterpreting request boundaries and processing unintended or malicious HTTP/2 requests.

Workaround:
NA

Fix:
Upgraded to golang.org/x/net v0.38.0

2050865 : CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache

Component: F5OS-A

Symptoms:
There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources.

Conditions:
NA

Impact:
Can trigger excessive resource and CPU consumption

Workaround:
NA

Fix:
Upgraded to golang.org/x/net v0.38.0

2050861 : CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment

Component: F5OS-A

Symptoms:
A flaw was found in golang. An attacker can craft an input to ParseFragment within parse.go that would cause it to enter an infinite loop and never return. The greatest threat to the system is of availability.

Conditions:
NA

Impact:
A specially crafted input may cause ParseFragment to enter an infinite loop, resulting in application hang and denial of service.

Workaround:
NA

Fix:
Upgraded to golang.org/x/net v0.38.0

2050853 : CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag

Component: F5OS-A

Symptoms:
A flaw was found in golang.org. In x/text, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag.

Conditions:
An affected version of the golang.org/x/text library is present and the language.ParseAcceptLanguage function processes certain malformed BCP 47 language tags.

Impact:
May cause a "slice bounds out of range" panic

Workaround:
NA

Fix:
This issue is resolved by upgrading to golang.org/x/text v0.23.0.

2050845 : CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

Component: F5OS-A

Symptoms:
A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability.

Conditions:
NA

Impact:
May cause excessive CPU usage, leading to significant performance degradation

Workaround:
NA

Fix:
Upgraded to golang.org/x/text v0.23.0

2050841 : CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension

Component: F5OS-A

Symptoms:
A flaw was found in golang.org. In x/text, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension.

Conditions:
NA

Impact:
May cause an "index out of range" panic

Workaround:
NA

Fix:
Upgraded to golang.org/x/text v0.23.0

2050833 : CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS

Component: F5OS-A

Symptoms:
A flaw was found in golang. The language package for go language can panic due to an out-of-bounds read when an incorrectly formatted language tag is being parsed. This flaw allows an attacker to cause applications using this package to parse untrusted input data to crash, leading to a denial of service of the affected component.

Conditions:
NA

Impact:
May trigger an out-of-bounds read and application panic, leading to a denial of service.

Workaround:
NA

Fix:
Upgraded to golang.org/x/text v0.23.0

2050825 : CVE-2022-41721 x/net/http2/h2c: request smuggling

Component: F5OS-A

Symptoms:
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead read the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Conditions:
NA

Impact:
potentially leading to unauthorized actions or information disclosure.

Workaround:
NA

Fix:
Package has been upgraded to non vulnerable version.

2050801-2 : CVE-2017-16539 docker: The DefaultLinuxSpec function does not block /proc/scsi pathnames

Component: F5OS-A

Symptoms:
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.

Conditions:
The Docker engine version is earlier than 1.13.1 and
Docker containers are started with capabilities that allow write access to /proc/scsi/scsi.

Impact:
Containers with sufficient privileges could potentially remove SCSI devices from the host system, resulting in data loss or device unavailability.

Workaround:
NA

Fix:
This vulnerability is not present in Docker version v1.13.1 or later.

2050793-2 : CVE-2024-36623 moby: Race Condition in Moby's streamformatter Package

Component: F5OS-A

Symptoms:
A flaw was found in Moby's streamformatter package. This vulnerability allows data corruption or application crashes via multiple concurrent write operations triggered by a race condition

Conditions:
NA

Impact:
Users may experience data inconsistencies or unexpected termination of the application when concurrent write operations are invoked under specific runtime conditions.

Workaround:
NA

Fix:
This issue has been addressed with a fix

2050701-1 : CVE-2025-58754 axios: Axios DoS via lack of data size check

Component: F5OS-A

Symptoms:
Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Versions 0.30.2 and 1.12.0 contain a patch for the issue.

Conditions:
A vulnerable version of Axios (prior to 0.30.2 and 1.12.0) is present and used in a Node.js environment to process URLs with the data: scheme.

Impact:
This will lead to DoS.

Workaround:
NA

Fix:
Axios has been updated to non-vulnerable version.

2008753-1 : Privilege Escalation to Admin via SSH Port Forwarding

Links to More Info: K000156771

2008505-5 : F5OS SCP hardening

Links to More Info: K000156771

2000389-3 : CVE-2018-10105 - tcpdump: SMB data printing mishandled

Links to More Info: K000156675

1999777-3 : CVE-2018-10103 - tcpdump: SMB data printing mishandled

Links to More Info: K000156675

1998753 : CVE-2021-3516 libxml2: Use-after-free in xmlEncodeEntitiesInternal() in entities.c

Component: F5OS-A

Symptoms:
There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.

Conditions:
NA

Impact:
May trigger a use-after-free condition

Workaround:
Avoid processing untrusted or unknown XML files

Fix:
Applied upstream patches.

1998541 : CVE-2021-3518 libxml2: Use-after-free in xmlXIncludeDoProcess() in xinclude.c

Component: F5OS-A

Symptoms:
There's a flaw in libxml2. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

Conditions:
NA

Impact:
May trigger a use-after-free condition

Workaround:
Avoid processing untrusted or unknown XML files

Fix:
Applied upstream patches.

1998521 : CVE-2021-3517 libxml2: Out-of-Bounds Read in XML Entity Encoding Functionality

Links to More Info: K03179547

1998417 : CVE-2022-29824 libxml2: Integer Overflow in Buffer Handling Functions Leading to Out-of-Bounds Writes

Component: F5OS-A

Symptoms:
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.

Conditions:
libxml2 before 2.9.14

Impact:
may trigger integer overflows in buffer handling functions, leading to out-of-bounds memory writes

Workaround:
Avoid processing untrusted or unusually large XML files

Fix:
Applied upstream patch

1998265 : CVE-2021-3537 libxml2: NULL Dereference Due to Improper Error Handling in Mixed Content Parsing Ask Explain

Component: F5OS-A

Symptoms:
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

Conditions:
libxml2 versions before 2.9.11

Impact:
May trigger a NULL pointer dereference

Workaround:
Avoid processing untrusted or unknown XML documents in recovery mode

Fix:
Applied upstream patches.

1998233 : CVE-2017-9047 libxml2: Buffer Overflow in xmlSnprintfElementContent

Component: F5OS-A

Symptoms:
A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.

Conditions:
An affected version of libxml2 (up to and including v2.9.4) is present and processes XML elements with complex content definitions using the xmlSnprintfElementContent function.

Impact:
A specially crafted XML file may trigger a buffer overflow

Workaround:
Avoid processing untrusted or specially crafted XML files

Fix:
Applied upstream patches.

1997969 : CVE-2017-16931 libxml2: Improper Handling of Parameter-Entity References

Component: F5OS-A

Symptoms:
parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.

Conditions:
libxml2 before 2.9.5

Impact:
May trigger improper handling of parameter-entity references, possibly leading to unexpected behavior

Workaround:
Avoid processing untrusted or unknown XML files

Fix:
Applied upstream patches.

1997929 : CVE-2022-23308 libxml2: Use-After-Free in ID and IDREF Attribute Handling

Links to More Info: K32760744

1996657-2 : CVE-2022-2817 vim: heap use-after-free in string_quote() at src/strings.c

Component: F5OS-A

Symptoms:
A use-after-free vulnerability was found in Vim in the string_quote function in the strings.c file. This issue occurs because an already freed memory is used when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the use-after-free, causing the application to crash, possibly executing code and corrupting memory.

Conditions:
vim prior to 9.0.0212

Impact:
May trigger a use-after-free condition

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1996609-2 : CVE-2022-3296 vim: out-of-bound write in function ml_append_int

Component: F5OS-A

Symptoms:
A stack-based buffer overflow vulnerability was found in vim's ex_finally() function of the src/ex_eval.c file. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a bug that causes an application to crash, possibly executing code and corrupting memory.

Conditions:
NA

Impact:
Users may observe unexpected termination or memory inconsistency during editing or buffer operations.

Workaround:
NA

Fix:
This issue has been adressed with a fix

1996593-2 : CVE-2022-3234 vim: Heap-based Buffer Overflow

Component: F5OS-A

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.

Conditions:
NA

Impact:
The vim process may exit unexpectedly or produce inconsistent runtime behavior during editing.

Workaround:
NA

Fix:
The issue had been addressed with a fix

1996585-2 : CVE-2022-2816 vim: out-of-bounds read in check_vim9_unlet() at src/vim9cmds.c

Component: F5OS-A

Symptoms:
An out-of-bounds read vulnerability was found in Vim in the check_vim9_unlet function in the vim9cmds.c file. This issue occurs because of invalid memory access when compiling the unlet command when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the out-of-bounds read, causing the application to crash, possibly executing code and corrupting memory.

Conditions:
vim prior to 9.0.0211

Impact:
May trigger an out-of-bounds read

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1996529-2 : CVE-2022-2210 vim: out-of-bound write in function ml_append_int

Component: F5OS-A

Symptoms:
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.

Conditions:
vim prior to 8.2

Impact:
Could trigger an out-of-bounds write

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1996329-2 : CVE-2022-2580 vim: Out-of-bounds Read in vim

Component: F5OS-A

Symptoms:
A flaw was found in vim. The vulnerability occurs due to illegal memory access and leads to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.

Conditions:
vim prior to 9.0.0102

Impact:
May trigger a heap buffer overflow

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is fixed in vim-minimal-2:9.1

1996193-2 : CVE-2022-2285 vim: integer overflow in del_typebuf() at getchar.c

Component: F5OS-A

Symptoms:
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.

Conditions:
vim prior to 9.0.

Impact:
May trigger an integer overflow or wraparound

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1995929-2 : CVE-2023-0433 vim: reading past the end of a line when formatting text

Component: F5OS-A

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.

Conditions:
NA

Impact:
Users may experience unexpected program termination or inconsistent runtime behavior when performing specific input processing or editing operations under certain conditions.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1995773-2 : CVE-2022-3256 vim: use-after-free in movemark() at mark.c

Component: F5OS-A

Symptoms:
A heap use-after-free vulnerability was found in vim's movemark() function of the src/mark.c file. This issue occurs because vim uses freed memory when 'autocmd' changes the mark. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap use-after-free that causes an application to crash, possibly executing code and corrupting memory.

Conditions:
NA

Impact:
Users may observe unexpected termination of the application, or internal memory inconsistencies, which under certain conditions could lead to unpredictable behavior beyond the editing session

Workaround:
NA

Fix:
The issue had been addressed with a fix

1995661-2 : CVE-2023-0512 vim: divide by zero in adjust_skipcol() at move.ca

Component: F5OS-A

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.

Conditions:
NA

Impact:
Users may encounter unexpected program termination when window width becomes very narrow under certain input conditions.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1995613-2 : CVE-2022-2207 vim: heap-based buffer overflow in function ins_bs

Component: F5OS-A

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

Conditions:
vim prior to 8.2.

Impact:
May result in a heap-based buffer overflow

Workaround:
Do not open untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1995465-2 : CVE-2022-2889 vim: use-after-free in find_var_also_in_script() in evalvars.c

Component: F5OS-A

Symptoms:
A use-after-free vulnerability was found in Vim in the find_var_also_in_script function in the evalvars.c file. This issue occurs because an already freed memory is used when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the use-after-free, causing the application to crash, possibly executing code and corrupting memory.

Conditions:
NA

Impact:
Users may observe unexpected termination of the process

Workaround:
NA

Fix:
The issue has been adressed by improving internal memory handling for specific input conditions

1995445-2 : CVE-2022-2287 vim: out of bounds read in suggest_trie_walk() at spellsuggest.c

Component: F5OS-A

Symptoms:
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.

Conditions:
vim prior to 9.0

Impact:
May trigger an out-of-bounds read

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1995353-2 : CVE-2022-2581: vim: Out-of-bounds Read in vim src/regexp.c

Component: F5OS-A

Symptoms:
A flaw was found in vim. The vulnerability occurs due to illegal memory access and leads to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.

Conditions:
vim prior to 9.0.0104

Impact:
May trigger a heap buffer overflow

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1995349-2 : CVE-2022-2571 vim: Heap-based Buffer Overflow in vim

Component: F5OS-A

Symptoms:
A flaw was found in vim. The vulnerability occurs due to illegal memory access and leads to a heap buffer overflow vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.

Conditions:
vim prior to 9.0.0101

Impact:
May trigger a heap buffer overflow

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1995341-2 : CVE-2022-3352 vim: use after free

Component: F5OS-A

Symptoms:
Use After Free in GitHub repository vim/vim prior to 9.0.0614.

Conditions:
NA

Impact:
Users may observe unexpected termination of vim or internal memory inconsistencies during buffer operations.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1995337-2 : CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension

Component: F5OS-A

Symptoms:
A flaw was found in golang.org. In x/text, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension.

Conditions:
NA

Impact:
may cause a panic with "index out of range"

Workaround:
NA

Fix:
We are not using the package

1995157-2 : CVE-2022-2182 vim Heap-based Buffer Overflow

Component: F5OS-A

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

Conditions:
vim prior to 8.2.

Impact:
Could lead to a heap-based buffer overflow

Workaround:
Avoid opening files from untrusted sources

Fix:
This issue is addressed in vim-minimal-2:9.1

1995097-2 : CVE-2022-2125 vim Heap-based Buffer Overflow

Component: F5OS-A

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

Conditions:
A vulnerable version of vim (prior to 8.2)

Impact:
Could result in a heap-based buffer overflow

Workaround:
Avoid opening untrusted or unknown files with vulnerable versions of vim.

Fix:
The issue is resolved in vim-minimal-2:9.1

1995077-2 : CVE-2022-2601 grub2: Buffer overflow in grub_font_construct_glyph() can lead to out-of-bound write and possible secure boot bypass

Component: F5OS-A

Symptoms:
A flaw was found where a maliciously crafted pf2 font could lead to an out-of-bounds write in grub2. A successful attack can lead to memory corruption and secure boot circumvention.

Conditions:
NA

Impact:
May trigger an out-of-bounds write

Workaround:
Avoid using untrusted or unknown pf2 font files

Fix:
Resolved by upgrading grub

1995037-2 : CVE-2022-3705 vim: a use after free in the function qf_update_buffernt

Component: F5OS-A

Symptoms:
A use-after-free vulnerability was found in Vim in the find_var_also_in_script function in the evalvars.c file. This issue occurs because an already freed memory is used when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the use-after-free, causing the application to crash, possibly executing code and corrupting memory.

Conditions:
NA

Impact:
Users may observe unexpected termination of vim or internal memory inconsistencies during quickfix buffer operations.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1994969-2 : CVE-2022-2946 vim-minimal-7.4.629-6.el7.x86_64.rpm: Use After Free in GitHub repository vim/vim prior to 9.0.0246

Component: F5OS-A

Symptoms:
A flaw was found in vim, where it is vulnerable to a use-after-free in the vim_vsnprintf_typval function. This flaw allows a specially crafted file to crash a program, use unexpected values, or execute code.

Conditions:
This issue can manifest when vim is used in workflows that handle dynamic input evaluation or formatted string operations.

Impact:
Users might see vim exit unexpectedly or behave inconsistently in those workflows.

Workaround:
NA

Fix:
The issue has been adressed

1994953-2 : CVE-2022-2284 vim: out of bounds read in utfc_ptr2len() at mbyte.c

Component: F5OS-A

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.

Conditions:
vim prior to 9.0.

Impact:
May trigger a heap-based buffer overflow

Workaround:
Do not open untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1994929-2 : CVE-2022-2819 vim: heap buffer overflow in compile_lock_unlock() at src/vim9cmds.c

Component: F5OS-A

Symptoms:
A flaw was found in vim. The vulnerability occurs due to illegal memory access and leads to a heap buffer overflow vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.

Conditions:
vim prior to 9.0.0210

Impact:
A specially crafted input file may trigger a heap buffer overflow.

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1994669-2 : CVE-2023-0051 vim: heap-based buffer overflow in msg_puts_printf() in message.c

Component: F5OS-A

Symptoms:
A heap-based buffer overflow was found in Vim in the msg_puts_printf function in the message.c file. The issue occurs because of an invalid memory access when calculating the length of a string when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the heap-based buffer overflow, causing the application to crash.

Conditions:
NA

Impact:
Users may observe unexpected termination of vim or memory inconsistencies during message formatting operations.

Workaround:
https://access.redhat.com/security/cve/cve-2023-0051

Fix:
This issue has been addressed with a fix

1994637-2 : CVE-2023-3138 - libX11: Out-of-bounds request/event/error ID handling in InitExt.c

Component: F5OS-A

Symptoms:
A client application may crash (due to memory corruption) when interacting with a malicious or misbehaving X server or proxy that sends out-of-bounds Request / Event / Error IDs.

Conditions:
libX11 (vulnerable versions, < 1.8.6)

Impact:
Memory corruption (within the Display structure), leading to client crash (denial of service)

Workaround:
NA

Fix:
LibX11 has been removed, as it was unused

1994593-2 : CVE-2020-14363 - libX11: Integer overflow leading to double-free in locale handling

Component: F5OS-A

Symptoms:
An integer overflow vulnerability leading to a double-free was found in libX11. This flaw allows a local privileged attacker to cause an application compiled with libX11 to crash, or in some cases, result in arbitrary code execution. The highest threat from this flaw is to confidentiality, integrity as well as system availability.

Conditions:
The application must be compiled with libX11 using a vulnerable version (prior to 1.6.12)

Impact:
May result in a double-free condition, potentially causing the application to crash or, in some cases, leading to arbitrary code execution.

Workaround:
NA

Fix:
LibX11 has been removed, as it was unused

1994517-2 : CVE-2022-2126 vim: out of bounds read in suggest_trie_walk()

Component: F5OS-A

Symptoms:
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.

Conditions:
vim prior to 8.2

Impact:
Could lead to an out-of-bounds read

Workaround:
Do not open untrusted or unknown files

Fix:
This issue is fixed in vim-minimal-2:9.1

1994465-2 : CVE-2022-2862 vim: heap use-after-free in generate_PCALL() at src/vim9instr.c

Component: F5OS-A

Symptoms:
Use After Free in GitHub repository vim/vim prior to 9.0.0221.

Conditions:
vim prior to 9.0.0221.

Impact:
Successful exploitation may trigger a use-after-free condition

Workaround:
Do not open untrusted or unknown files

Fix:
This issue is addressed in vim-minimal-2:9.1

1994449-2 : CVE-2023-0054 vim-minimal-7.4.629-6.el7.x86_64.rpm: Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.

Component: F5OS-A

Symptoms:
An out-of-bounds write flaw was found in Vim, in the do_string_sub function in the eval.c file. The issue occurs because of an invalid memory access due to a missing check of the return value of the vim_regsub function when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file to trigger the out-of-bounds write, causing the application to crash.

Conditions:
NA

Impact:
Users may experience unexpected termination of vim or internal inconsistencies during substitution operations.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1959845-5 : CVE-2022-48340: glusterfs: heap use-after-free in dht_setxattr_mds_cbk() in dht-common.c

Component: F5OS-A

Symptoms:
A flaw was found in Gluster, where GlusterFS is vulnerable to a denial of service caused by an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free. By sending a specially-crafted request, a remote attacker can cause a denial of service.

Conditions:
NA

Impact:
Clients may experience service interruption or unexpected termination of GlusterFS in certain operating scenarios.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1953653-4 : cve-2022-27406: Freetype: Segmentation violation via FT_Request_Size

Links to More Info: K000141126

1857245-2 : CVE-2025-22869 - SSH file-transfer servers vulnerable to Denial of Service via slow key exchange

Component: F5OS-A

Symptoms:
A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.

Conditions:
The SSH server implementation must support file transfer protocols over golang.org/x/crypto/ssh < 0.35.0

Impact:
DoS: the server’s memory or other resources may be exhausted, making it unavailable to legitimate users.

Workaround:
NA

Fix:
The vulnerability is fixed in golang.org/x/crypto/ssh v0.35.0 and above.

1857197-1 : CVE-2025-22869 - SSH file-transfer servers vulnerable to Denial of Service via slow key exchange

Component: F5OS-A

Symptoms:
A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.

Conditions:
The SSH server implementation must support file transfer protocols over golang.org/x/crypto/ssh < 0.35.0

Impact:
DoS: the server’s memory or other resources may be exhausted, making it unavailable to legitimate users.

Workaround:
NA

Fix:
The vulnerability is fixed in golang.org/x/crypto/ssh v0.35.0 and above.

1857001-2 : CVE-2025-27152: axios vulnerability

Component: F5OS-A

Symptoms:
When passing absolute URLs to axios, even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage.

Conditions:
When passing absolute URLs to axios.

Impact:
Affected code is in our product but cannot be exploited in any normal configuration

Workaround:
N/A

Fix:
Upgraded axios to a non-vulnerable version.

1782497-1 : CVE-2022-41723 - specially crafted HTTP/2 stream could cause excessive CPU usage in the HPACK decoder

Component: F5OS-A

Symptoms:
A malicious HTTP/2 stream can cause excessive CPU usage on the server, due to expensive HPACK decoding operations.

Conditions:
Golang < 1.19.6

Impact:
Denial of Service, availability is affected

Workaround:
NA

Fix:
The vulnerability is fixed in golang 1.20.0 and above.

1780721-2 : CVE-2022-41723 - specially crafted HTTP/2 stream could cause excessive CPU usage in the HPACK decoder

Component: F5OS-A

Symptoms:
A malicious HTTP/2 stream can cause excessive CPU usage on the server, due to expensive HPACK decoding operations.

Conditions:
Golang < 1.19.6

Impact:
Denial of Service, availability is affected

Workaround:
NA

Fix:
The vulnerability is fixed in golang 1.20.0 and above.

1780617-2 : CVE-2023-45288 - HTTP/2 endpoint excessive header reading via CONTINUATION frames

Links to More Info: K000148640

1753033-2 : Snmp is not working if mgmt is in 172.17.x.x network in 1.8.0★

Links to More Info: BT1753033

Component: F5OS-A

Symptoms:
The snmpwalk command times out after an upgrade.

Conditions:
-- The management IP address is in the 172.17.x.x network
-- The system is upgraded from 1.5.2

Impact:
The snmpwalk command fails if the management IP is in 172.17.x.x network in 1.8.0

Workaround:
Remove the iptables entries with 172.x network as source from the file /etc/sysconfig/iptables and reboot the system

Steps are as below

Verify existing entries:
# iptables-save | grep 172.17
-A POSTROUTING -s 172.17.0.0/16 ! -o br-97c791a9e730 -j MASQUERADE
-A POSTROUTING -s 172.17.0.0/16 ! -o br-e4f09d90e378 -j MASQUERADE

Make a backup of the iptables file
# cp /etc/sysconfig/iptables /etc/sysconfig/iptables.bak
 
Edit the entries in the iptables file
# grep -v '＼-s 172.' /etc/sysconfig/iptables.bak > /etc/sysconfig/iptables

Run this command:
# iptables-save | grep -vF 172.17.0.0/16 > iptables

Reboot the device:
# reboot

Verify entries. Either of these commands should return no results
# iptables-save | grep 172.17
# grep '172.17' /etc/sysconfig/iptables

Fix:
During the upgrade from 1.5.2 to any higher version, the iptables for default docker network (172 network) are removed

1730833-2 : Tmm may egress broadcast traffic even when VLANs are disabled in F5OS

Links to More Info: BT1730833

Component: F5OS-A

Symptoms:
In certain scenarios such as restoring a UCS on an F5OS tenant, if the VLANs in F5OS are disabled, tmm may egress broadcast traffic such as gratuitous ARPs onto the disabled VLANs.

Conditions:
-- An F5OS tenant where VLANs were assigned and then removed.
-- An F5OS tenant where tmm is not in forced-offline mode.
-- An action occurs on the tenant (such as restoring a UCS or restarting tmm, or loading the config) that results in gratuitous ARPs.

Impact:
This could cause IP address conflicts on the network or other issues related to unexpected broadcast traffic such as gratuitous ARPs on the network.

Workaround:
- In F5OS, remove the affected VLANs from the LAG or interface.

- On the tenant use forced offline to prevent traffic egress.

- If you are restoring a UCS from another BIG-IP such as for a platform migration, put the source BIG-IP into forcedoffline state before taking the UCS.

- delete the tenant, and recreate without any VLANs assigned.

Fix:
A single tenant with a vlan that was configured and then removed via F5OS will no longer leak broadcast traffic onto the network on the removed vlan.

This fix does not address the issue when multiple tenants are attached to the same vlan. F5 has created ID1758957 for that issue.

1713073-2 : F5OS rSeries spontaneous reboot after upgrade★

Links to More Info: K000148566, BT1713073

Component: F5OS-A

Symptoms:
After upgrading, the device reboots unexpectedly.

Pel logs have this signature:
11/05/2024 21:24:47 | 5753 | AOM | 255 | Network Access | 0 | CPU internal error event
11/05/2024 21:24:47 | 5754 | AOM | 255 | Network Access | 5 | ME PECI is not functional, resetting host
11/05/2024 21:24:47 | 5755 | AOM | 255 | Network Access | 5 | ... reason: 0xFF ME IPMI 'other error'
11/05/2024 21:24:47 | 5756 | AOM | 255 | Network Access | 6 | lop host reset event

Conditions:
-- rSeries 5xxx, 10xxx, 12xxx system
-- Upgrade to version 1.8.0 build 16036

Impact:
Spontaneous system restart could occur.

Workaround:
A BIOS change occurred in the F5OS 1.8.0 build 16036 upgrade that enables CMS ENABLE DRAM PM. Disabling it will mitigate this.

For instructions on how to perform this procedure, see K000148566: F5 rSeries systems may silently reboot after upgrading to F5OS-A 1.8.0 at https://my.f5.com/manage/s/article/K000148566.

Fix:
Fixes introduced in F5OS-A-1.8.0-17564.R5R10.EHF-1.iso

1712009 : Attempting to perform a configuration restore, after downgrading from v1.8.0, makes the system inoperable★

Links to More Info: BT1712009

Component: F5OS-A

Symptoms:
After a downgrading from v1.8.0 and reset-to-default process, ConfD fails to start.

Conditions:
Downgrade a system from F5OS-A 1.8.0, F5OS-A-1.8.2, or F5OS-C 1.8.0 to an earlier version, and then attempt to perform a "system database reset-to-default" operation.

Impact:
The system becomes inoperable, with no access to the CLI or UI. Interaction is restricted to a root-level bash login. Following a database reset, access is exclusively available through the serial console.

Workaround:
Perform the below steps for a successful configuration restore or reset-to-default operation following a version downgrade from 1.8.0.
=====================================================================================

F5 rSeries system's config-restore workaround after downgrading from v1.8.0
========================================================================
step-1: Log in to the command line interface (CLI) of the system using an account with root access.
step-2: Copy the below content to a new file f5_dyncfg_config_restor_fix.xml

<!-- File Begin -->
<!-- XML file content for fixing the config-restore issue. -->

<config xmlns='http://tail-f.com/ns/config/1.0'>
<confdConfig xmlns='http://tail-f.com/ns/confd_dyncfg/1.0'>
 
  <restconf>
    <transport>
      <tcp>
        <enabled>false</enabled>
      </tcp>
    </transport>
  </restconf>
 
  <webui>
    <enabled>false</enabled>
      <transport>
        <tcp>
          <enabled>true</enabled>
        </tcp>
      </transport>
    </webui>
 
  </confdConfig>
</config>

<!-- End of file -->

step-3: Move the file (f5_dyncfg_config_restor_fix.xml) created in step-2 to /var/F5/system/
step-4: Execute the below command.

docker exec -it system_manager /confd/bin/confd_load -U -c system -m -l /var/F5/partition/f5_dyncfg_config_restor_fix.xml

step-5: delete the file /var/F5/system/f5_dyncfg_config_restor_fix.xml


System Controller’s config-restore workaround after downgrading from v1.8.0
===========================================================================
step-1: Log into the command line interface (CLI) of the Active controller using an account with root access.
step-2: Copy the below content to file f5_dyncfg_config_restor_fix.xml

<!-- File Begin -->
<!-- XML file content for fixing the config-restore issue. -->

<config xmlns='http://tail-f.com/ns/config/1.0'>
<confdConfig xmlns='http://tail-f.com/ns/confd_dyncfg/1.0'>
 
  <restconf>
    <transport>
      <tcp>
        <enabled>false</enabled>
      </tcp>
    </transport>
  </restconf>
 
  <webui>
    <enabled>false</enabled>
      <transport>
        <tcp>
          <enabled>true</enabled>
        </tcp>
      </transport>
    </webui>
 
  </confdConfig>
</config>

<!-- End of file -->

step-3: Move the file (f5_dyncfg_config_restor_fix.xml) created in step-2 to /var/F5/system/
Step-4: Execute the below command.

docker exec -it vcc-confd confd_load -U -c system -m -l /var/F5/system/f5_dyncfg_config_restor_fix.xml

step-5: Delete the file /var/F5/system/f5_dyncfg_config_restor_fix.xml

Chassis Partition's config-restore workaround after Partition downgrading from 1.8.0
==================================================================================
step-1: Log in to the command line interface (CLI) of the blade using an account with root access.
step-2: copy the below content to file f5_dyncfg_config_restor_fix.xml

<!-- File Begin -->
<!-- XML file content for fixing the config-restore issue. -->

<config xmlns='http://tail-f.com/ns/config/1.0'>
<confdConfig xmlns='http://tail-f.com/ns/confd_dyncfg/1.0'>
 
  <restconf>
    <transport>
      <tcp>
        <enabled>false</enabled>
      </tcp>
    </transport>
  </restconf>
 
  <webui>
    <enabled>false</enabled>
      <transport>
        <tcp>
          <enabled>true</enabled>
        </tcp>
      </transport>
    </webui>
 
  </confdConfig>
</config>

<!-- End of file -->

step-3: Move the file (f5_dyncfg_config_restor_fix.xml) created in step-2 to /var/F5/partition<id>/
Step-4: Execute the below command.

docker exec -it partition<id>_manager confd_load -U -c system -m -l f5_dyncfg_config_restor_fix.xml

step-5: Delete the file /var/F5/system/f5_dyncfg_config_restor_fix.xml

Follow the below steps to fix the system after it enters a failed state following a version downgrade v1.8.0
=====================================================================================

To restore functionality, you must access a bash shell using an account with root access (most likely through the system's serial console) and delete the files in the "/var/F5/system/cdb/" directory and perform a restart. This action will erase all settings, including licensing and the system’s management IP.

Next, get a new license, configure the system management IP address, verify or reset the primary key, and initiate a configuration restoration using the previously saved backup.

If the system controller is reset using this method, the empty partitions must be recovered from backup and the tenants must then be restored.

If a partition experiences this type of failure and is cleared and reset, it must not be deleted or recreated in the system controller. This is because it will result in a mismatch of primary keys and the configuration restoration will not function properly.

1709121-4 : Unable to create a tenant as the Network Manager start-up or failover may result in a looping process

Links to More Info: BT1709121

Component: F5OS-A

Symptoms:
While creating a new tenant, an error occurs:

"Failure for data/f5-tenants:tenants API. The server or an underlying service is unreachable."

The network-manager service seems to hang, or it might be in a restart loop.

In confd, the 'show system mac-allocation state' command indicates that no MAC addresses have been allocated.

$ show system mac-allocation state
system mac-allocation state free-single-macs 16
system mac-allocation state allocated-single-macs 0
system mac-allocation state free-large-blocks 2
system mac-allocation state allocated-large-blocks 0
system mac-allocation state free-medium-blocks 0
system mac-allocation state allocated-medium-blocks 0
system mac-allocation state free-small-blocks 0
system mac-allocation state allocated-small-blocks 0
system mac-allocation state total-free-mac-count 80
system mac-allocation state total-allocated-mac-count 0 <---
system mac-allocation state total-mac-count 80

Conditions:
This can occur with combinations of tenants using MAC blocks greater the size 1. The specific combinations are somewhat unpredictable.

Impact:
Tenants cannot be created.

Workaround:
None

Fix:
The code will be updated to prevent the hang condition.

1702237 : Mismatch between api_svc_gateway auth and zmq_info msg_ids and subset codes

Links to More Info: BT1702237

Component: F5OS-A

Symptoms:
An incorrect msg_id is reported for api_svc_gateway auth or zmq_info errors.

ZMQ_MSG
API_SVC_GATEWAY.ZMQ_MSG.6
Wrong msg_id: 2024-10-29T21:03:59.960602+00:00 appliance-1.chassis.local api-svc-gateway[9]: priority="Info" version=1.0 msgid=0x5806000000000006 msg="Running network manager Message Queue client at" ADDR="tcp://localhost:2401".

Correct msg_id: 2024-10-29T21:03:59.960602+00:00 appliance-1.chassis.local api-svc-gateway[9]: priority="Info" version=1.0 msgid=0x5805000000000006 msg="Running network manager Message Queue client at" ADDR="tcp://localhost:2401".

AUTH
API_SVC_GATEWAY.AUTH.7
Wrong msg_id: 2024-10-29T21:32:15.841424+00:00 appliance-1.chassis.local api-svc-gateway[9]: priority="Err" version=1.0 msgid=0x5805000000000007 msg="Platfrom key could not be decrypted" ERRNOSTR="Bad protocol usage or unexpected retval" LASTERR="Bad ciphertext format" ERRNO=21.

Correct msg_id: 2024-10-29T21:32:15.841424+00:00 appliance-1.chassis.local api-svc-gateway[9]: priority="Err" version=1.0 msgid=0x5806000000000007 msg="Platfrom key could not be decrypted" ERRNOSTR="Bad protocol usage or unexpected retval" LASTERR="Bad ciphertext format" ERRNO=21.

Conditions:
Errors that are logged by api_svc_gateway auth or zmq_info

Impact:
An incorrect message ID is logged.

Workaround:
None

Fix:
Modified api_svc_gateway auth or zmq_info error msg_ids

1701145 : Intermittent redirection to Dashboard when accessing Add/Edit FIPS Partition

Links to More Info: BT1701145

Component: F5OS-A

Symptoms:
In the current session, attempting to navigate to "Add/Edit" screens— such as "Add/Edit FIPS Partition" or "Add/Edit LAG"using the Add button on above its table may unexpectedly redirect to the dashboard. New or other active sessions remain unaffected.

Conditions:
This issue occurs rarely (approximately 1 in 20 to 30 times) when performing the following sequence of actions continuously:

Creating a FIPS partition.
Assigning the partition to a tenant.
Deploying the tenant.
Moving the tenant to the configured state.
Assigning a different FIPS partition to the tenant.
Deploying the tenant.

Impact:
In the affected session, you cannot access "Add/Edit" screens via the Add button and are redirected to the dashboard. However, you can still access these screens by manually navigating to the URL.

Workaround:
This issue is specific to the current session. Starting a new session will resolve the issue.

1694481-2 : K3s token expiry causing tenant unresponsiveness

Links to More Info: BT1694481

Component: F5OS-A

Symptoms:
Expiry of service account token inside multus causes the tenant to become unresponsive.
Note: It will only be impacted if/after it is changed to configured or provisioned and then it is deployed again.


The tenant fails to come up and the tenant status reads:

#show tenants; tenant STATUS
Not ready: containers with unready status: [compute]

Conditions:
-- Multus.kubeconfig is not recreated or updated when the service account token in /var/run/secrets/kubernetes.io/serviceaccount/token is renewed.
-- Even though the token is renewed, the token is still valid for a year in multus.kubeconfig

Impact:
After one year, token in the multus.kubeconfig becomes stale (expired). As a result, when Multus tries to access the Kubernetes API server using the stale token in the multus.kubeconfig, it may fail with authentication errors because the token is no longer valid.

Workaround:
Workaround(1):
Impact of procedure: Performing the following procedure should not have a negative impact on your system.

Delete the multus pod by logging into the system as root and running the following command:

kubectl -n kube-system delete pod -l app=multus

The system will delete the running pod and create a new one. This will refresh the token for the next one year.

Workaround(2):
Impact of procedure: Tenants will be temporarily unavailable during this process.

Rebooting the device will refresh the token.

Fix:
None

1691557-4 : CVE-2020-8037: tcpdump memory leak.

Links to More Info: K000149929

1671629-1 : [rSeries r2000/r4000] After F5OS reboot, tenant interfaces might be in UNINITIALIZED state

Links to More Info: BT1671629

Component: F5OS-A

Symptoms:
- After F5OS reboot, tenant interfaces might be in UNINITIALIZED state.
- Logs from tenant (/var/log/ltm) will show platform_agent receiving blank VLAN names. Example below where vlan id is 1234 (correct) but vlan name is blank (incorrect):

info platform_agent[7810]: 01e10007:6: vlan id = 1234vlan name = interface name = 1.3

Conditions:
- Rebooting F5OS
- rSeries r2000/r4000

Impact:
Traffic disruption. Since tenants interfaces will be UNINITIALIZED, the tenant will not be passing traffic.

Workaround:
- Remove all the VLANs from the interface (where VLAN names are missing) and re-attach the VLANs. This is to be done from F5OS side.
- Rebooting again is also known to resolve the problem (as this is a timing issue on reboot and does not happen frequently)

1644409 : RSeries ATSE v72.40.3.00 firmware

Links to More Info: BT1644409

Component: F5OS-A

Symptoms:
RSeries ATSE v72.40.3.00 firmware

Conditions:
RSeries r5000, r10000, or r12000-series appliance.

This update is not applicable to r2000 or r4000-series appliances.

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes ATSE/BE2 interface stability issues. See ID1596625 for more information.

1644405 : RSeries ATSE v72.4.4.00 firmware

Links to More Info: BT1644405

Component: F5OS-A

Symptoms:
RSeries ATSE v72.4.4.00 firmware

Conditions:
RSeries r5000, r10000, or r12000-series appliance.

This update is not applicable to r2000 or r4000-series appliances.

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes ATSE/BE2 interface stability issues. See ID1596625 for more information.

1644293-4 : Interface status alert and SNMP trap is not sent immediately after interface is disabled

Links to More Info: BT1644293

Component: F5OS-A

Symptoms:
When an interface is disabled, the alert or SNMP trap is not sent immediately.

Conditions:
-- Disable an interface.

Impact:
No alert or SNMP trap is sent when an interface is disabled. The trap is sent when the interface is re-enabled.

Workaround:
None

Fix:
Add a new "Interface disabled" event triggered when an interface is disabled. The "Interface up" and "Interface down" alerts changed to events.

1630273-8 : CVE-2023-4207 - Centos Security Update for kernel

Links to More Info: K000138693

1630253-9 : CVE-2023-4208 - Centos Security Update for kernel

Links to More Info: K000138693

1628557-1 : F5OS high memory usage when using snmp

Links to More Info: K000149820

1624449-4 : SNMP polling of coreTotal5minAvg causing timeouts and genErrors

Links to More Info: BT1624449

Component: F5OS-A

Symptoms:
While running an snmpwalk that includes coreTotal5minAvg, you may get a timeout or a general error:

 Timeout: No Response from 10.170.9.16

The general error occurs less frequently:

 Error in packet
 Reason: (genError) A general failure occured

Conditions:
-- snmpwalk a MIB that includes coreTotal5minAvg
-- The polling is done for CPUs that are not present

Impact:
Error in packet

 Reason: (genError) A general failure occurred

 Failed object: iso.3.6.1.4.1.12276.1.2.1.1.3.1.6.8.112.108.97.116.102.111.114.109.0

Workaround:
After the system starts, after about two minutes, platform-stats-bridge will log this log message:

msg="DB ready check done" NAME="SnmpCpuStatsHandler".

After that log message, you will be able to check coreTotal5minAvg.

Fix:
Modified code such that snmpwalk will not be executed for offline cpus

1621861-2 : F5OS Upgrade on optics-mgr-package installed device may result in mismatched OS and services★

Links to More Info: BT1621861

Component: F5OS-A

Symptoms:
If the optics-mgr package is installed on the system, performing a Live upgrade may lead to one of the following issues:

The system may continue running an older OS version after the upgrade attempt.

The OS and associated services may fail to upgrade properly.

Conditions:
Performing Live upgrade on a system with optics-mgr installed may result in failure in one of the upgrade steps and continues with the subsequent steps.

Impact:
The system may be completely inoperative, or the system may be running with different OS versions, which could lead to unknown problems.

Workaround:
To prevent the system from entering this state, ensure the following:

If the current OS version is below 1.5.3 and the Optics Manager package is installed, and you are planning to upgrade to version 1.5.3 or 1.8.x, follow these steps:

-> Uninstall the Optics Manager package before starting the upgrade.

-> Proceed with the OS upgrade to version 1.5.3 or 1.8.x.

-> Once the upgrade is complete, reinstall the Optics Manager package.

Note: Installing or uninstalling the optics-manager package triggers a system reboot for the changes to take effect.

1620513-2 : CVE-2024-38477 httpd: NULL pointer dereference in mod_proxy

Links to More Info: K000140784, BT1620513

1620077-1 : FDB entry port motion not working if new interface is a trunk/LAG

Links to More Info: BT1620077

Component: F5OS-A

Symptoms:
Immediately after a fail-over of traffic from one trunk/LAG to another, outbound traffic from the appliance or chassis to certain addresses may be interrupted for up to five minutes before recovering.

Conditions:
Switching traffic from one LAG to another on an appliance or chassis.

Impact:
Temporary disruption of tenant’s outbound traffic on an appliance or chassis system.

Workaround:
None

Fix:
Updated handling of FDB entry port motion to include cases with a trunk/LAG as the new interface.

1618989-1 : CVE-2023-45288 - HTTP/2 endpoint excessive header reading via CONTINUATION frames

Links to More Info: K000148640

1615917-5 : L2_agent crash due to SNMP★

Links to More Info: BT1615917

Component: F5OS-A

Symptoms:
After upgrading system, L2-agent crashes.

Conditions:
1. System running with older version (earlier then F5OS-C 1.8.0 or F5OS-A 1.8.0 or F5OS-C 1.5.3 )
2. Configure SNMP
3. Upgrade system
4. L2-agent will start crashing.

Impact:
L2-agent crashes and you are unable to do get/set operations for interfaces using ConfD interfaces.

Workaround:
None

Fix:
Fixed an issue causing l2-agent to crash after upgrade.

1614821-4 : CVE-2024-3596 - Blast-RADIUS

Links to More Info: K000141008, BT1614821

1614429-2 : iHealth upload is failing with error "certificate signed by unknown authority"

Links to More Info: K000140362, BT1614429

Component: F5OS-A

Symptoms:
When attempting to use the QKView upload feature, the upload may fail with the message "certificate signed by unknown authority". This is due to a recent change in certificate authority that is inconsistent between F5OS and iHealth.

Conditions:
Always, after mid-July 2024.

Impact:
Unable to upload QKView files to iHealth with a single click.

Workaround:
You can use the File Export feature to download QKView files, and then upload these files to iHealth.

You can find the QKView files in the GUI at System Settings > File Utilities, then choose "diags/shared" as the base directory, then select "qkview".

Fix:
Certificate authorities used by the iHealth upload feature in F5OS will be updated.

1607745-6 : Apache HTTPD vulnerabilities CVE-2024-38476, 2024-38474 and CVE-2024-38475

Links to More Info: K000140618

1598633-6 : CVE-2023-45288 - HTTP/2 endpoint excessive header reading via CONTINUATION frames

Links to More Info: K000148640

1596625 : BE2 GCI interface training failures during runtime results in failure to process networking traffic★

Links to More Info: BT1596625

Component: F5OS-A

Symptoms:
On particular rSeries appliances, one or more symptoms could occur during normal operation:
-- High availability stops working
-- Inbound traffic stops
-- Platform.log contains 'DM Tx Action ring hung'

This is similar to the symptoms in https://cdn.f5.com/product/bugtracker/ID1580489.html, except that this can be triggered during system operation.

Conditions:
-- rSeries r5000, r10000, or r12000-series appliance

This issue does not affect r2000 or r4000-series appliances.

Impact:
The system stops delivering traffic from front-panel ports to the host, although egress traffic may continue to work. If a LACP LAG is configured, ports will be unable to join the LAG.

Workaround:
There is no workaround for this issue.

If an appliance has already locked up, rebooting it might restore network connectivity.

If your system is running F5OS-A version 1.5.x, F5OS-A-1.5.2-29198.R5R10.EHF-4.iso is an Engineering Hot Fix (EHF) that contains a software fix, and is available at

https://my.f5.com/manage/s/downloads?productFamily=F5OS&productLine=F5OS_Appliance_Software&version=1.5.2&container=1.5.2-EHF

You can also upgrade to F5OS-A 1.8.0.

Fix:
New FPGA bitstreams stabilize the interface between the ATSE and BE2 chip.

1596149-4 : Monitor rSeries ATSE to BE2 links and Raise Alarms in the Event of Failures

Links to More Info: BT1596149

Component: F5OS-A

Symptoms:
Monitor rSeries ATSE to BE2 links and Raise Alarms in the Event of Failures

Conditions:
F5 rSeries r5000, r10000, or r12000-series appliance.

This update is not applicable to r2000 or r4000-series appliances.

Impact:
In cases where errors are detected between the ATSE and BE2 links, alarms and events will be reported.

Workaround:
None

Fix:
Monitor ATSE to BE2 links and raise alarms and report events when errors are detected.

1591645-2 : EPVA related dma-agent crash

Links to More Info: BT1591645

Component: F5OS-A

Symptoms:
A dma-agent seg_fault occurs when there is a conflict between special EPVA allow-list entries.

Conditions:
A conflict between two entries on the allow-list triggers a code path in the dma-agent and resulting in a seg_fault.

Impact:
Traffic loss as the dma-agent needs to be restarted by its watchdog/start up script. Tenants need to re-register with the datapath.

Workaround:
None

Fix:
This issue has been fixed by setting a THREAD local variable in the epva_tbl_mgmt thread, preventing a seg_fault when the edge case method is triggered.

1587837-4 : Memory leak in multiple components

Links to More Info: BT1587837

Component: F5OS-A

Symptoms:
A mishandling of memory allocation in the data provider callback library can cause memory allocation to grow over time. This memory usage growth can cause poor performance and the Out Of Memory (OOM) killer may kill components, causing outages.

Conditions:
If a data provider processes overlapping requests it can leak memory. The components most affected by this are the platform-stats, snmp-service, an L2 agent.

Impact:
Components may crash or get killed.

Workaround:
Monitor memory usage and periodically restart daemons that experience excessive memory growth. On a chassis system, a manual failover and the rebooting the standby controller will restart all daemons.

To minimize the occurrence of this leak, do not constantly poll for statistics, especially from multiple monitoring stations.

Fix:
The library has been fixed to no longer leak session data.

1585765-1 : Error message IDs for appliance-orchestration-manager are incorrect

Links to More Info: BT1585765

Component: F5OS-A

Symptoms:
The error message IDs found on a running system differ from the error message IDs found in the F5OS error catalog.

Conditions:
No specific conditions in the configuration of the system caused this issue.

Impact:
Makes it difficult to find the right information in the F5OS error catalog.

Workaround:
None

Fix:
This issue has been fixed and the error IDs now have the correct values in both the running system and the F5OS error catalog.

1579289-1 : Empty log message when interface changes state

Links to More Info: BT1579289

Component: F5OS-A

Symptoms:
An empty log message is logged:
appliance-1 nic-manager[1]: priority="Info" version=1.0 <msgid=> msg="Updating interface link state" <ifname=> <state=>. >>>>

The empty log message is reported after an interface oper-status changes from either UP/DOWN or DOWN/UP state

Conditions:
An interface is enabled or disabled in F5OS

Impact:
The log message does not report which interface's state changed.

Workaround:
None

Fix:
With the appropriate fix, the empty log is no longer reported

1577049-4 : CVE-2024-1086 - Linux kernel vulnerability

Links to More Info: K000139430, BT1577049

1575417-1 : Platform-diag-agent memory leak

Links to More Info: BT1575417

Component: F5OS-A

Symptoms:
Memory usage for the "platform-diag-agent" process may steadily increase over time.

Conditions:
This can happen when frequently requesting “system health components” from ConfD.

Impact:
The system may eventually run out of memory and affect all services on the system.

Workaround:
None

Fix:
Memory leak fixed. Consider reducing the request frequency. The system can also be rebooted to temporarily restore memory usage to normal levels.

1566569 : Unable to access rSeries system from 172.17.0.0/16 IP subnet

Links to More Info: BT1566569

Component: F5OS-A

Symptoms:
Unable to access the rSeries system from client or server systems in the 172.17.0.0/16 IP subnet

Conditions:
-- r5000-series, r10000-series, or r12000-series appliance

Impact:
Unable to access the rSeries system from client or server systems in the 172.17.0.0/16 IP subnet

Workaround:
To work around this issue, do the following:

1. Log into the system as root
2. If running F5OS-A 1.7.0, edit /var/docker/config/platform.yml. If running F5OS-A 1.5.2, edit /var/docker/config/platform.patch.yml.
3. In the specified file, locate the section for "selinux_labeler", and add a line under it that reads 'network_mode: "none"'. The indentation of this line must match exactly the indentation of the "container_name" and "image" lines.

For example:
  selinux_labeler:
    container_name: selinux_labeler
    network_mode: "none"
    image: ${...
    ...

4. Reboot the system.
5. Once the system is rebooted, log into the system as root, and run "docker network rm config_default"

1558797-1 : BMC self health test falsely logged as failed

Links to More Info: BT1558797

Component: F5OS-A

Symptoms:
The BMC self health test is randomly logged as having failed:

appliance-1 alert-service[8]: priority="Notice" version=1.0 msgid=0x2201000000000029 msg="Received event." event="65543 appliance aom-fault EVENT NA "Bmc Health Self test failed: Device-specific 'internal' failure." "2024-03-01 14:00:00.918553424 UTC"".

Conditions:
Checking the platform log

Impact:
BMC self health test is falsely logged as failed.

Workaround:
None

Fix:
This issue has been fixed and the BMC self health test no longer falsely logs a failure.

1497657-4 : First SSH login after editing remote RADIUS or TACACS+ user privileges will still apply old privileges

Links to More Info: BT1497657

Component: F5OS-A

Symptoms:
The first SSH login after editing role-based privileges for a remote RADIUS or TACACS+ user will still give the user their prior privileges (or, if the user is newly created, login will be rejected with a message saying "This account is currently not available"). Subsequent logins will apply the updated user privileges.

Conditions:
1. RADIUS or TACACS+ Authentication is enabled.
2. A new user is created in one of the above auth systems, or an existing user’s role-based access is modified.
3. The affected user SSHs into F5OS for the first time after the change in step #2.

Impact:
First login to system after creation fails, or first login after modification of user privileges gives the user incorrect privileges.

Workaround:
None

Fix:
Fix issue where first SSH login after editing remote RADIUS or TACACS+ user privileges will still apply old privileges.

1496977-1 : Remote GID mappings to F5OS roles are disconnected for TACACS+/RADIUS authentication methods.

Links to More Info: BT1496977

Component: F5OS-A

Symptoms:
Remote GID mappings (on a TACACS+ or RADIUS server) to F5OS GIDs/roles are not working correctly. When attempting to configure a remote mapping, it results in the access rejection with a message similar to below:

[root@system ~]# ssh radius_or_tacacs_user@<F5OS system mgmt IP>
Password:
Last login: <date> from <source IP>
No valid role group found in user groups: '9000'
Connection to <mgmt IP> closed.

Conditions:
A remote GID mapping is configured for a role in F5OS and the authentication method used for remote users is RADIUS or TACACS+.

Impact:
Remote users cannot log in to the system.

Workaround:
Configure remote user's GIDs in a way that they correspond to the GIDs in F5OS for the desired role(s). Then, remove any remote GID mappings in the F5OS configuration.

Fix:
Fixed remote GID mapping to F5OS roles for TACACS+/RADIUS authentication methods.

1496837 : User-manager's ConfD socket getting closed.

Links to More Info: BT1496837

Component: F5OS-A

Symptoms:
After repeating the change of network type and device reboot, the device goes into a state where the user-manager is not interacting with ConfD.

Conditions:
- Change remote GID role and check '/etc/gid-map.txt' file if the value is reflected.
- Switch network type and reboot the device.

Repeat the above process until '/etc/gid-map.txt' file is not been updated correctly.

Impact:
Any ConfD configuration change that goes through user-manager fails. This includes any of the user’s password changes, or remote GID changes.

Workaround:
Rebooting the system will get the correct GID value from the ConfD and update the '/etc/gid-map.txt' file.

Fix:
The user-manager has no reason to use NSS to lookup any PW/group info, as it deals exclusively with the local user database.

Additionally, there is a ZMQ service that belongs in authentication-mgr (which understands remote authentication) that is in the user-manager container. It forces user-manager to use an ‘/etc/resolv.conf’ that can reference remote sources.

If the user-manager trips over a lookup that goes to LDAP (usually a local-db miss), it can be very slow and time out. The ConfD->user-manager channel is sensitive of slow responses, and shuts down subscriber/callpoint handler/daemon that takes over 15 to 30 seconds to respond. When this happens, the user-manager is going to see an EOF on its ConfD sockets.

This fix forces the user-manager to only lookup on local databases.

1495337-2 : FIPS Password Initialization Failure with Special Characters

Links to More Info: K000154661

1492621 : Config-restore fails when backup file has expiry-status field for admin or root user

Links to More Info: BT1492621

Component: F5OS-A

Symptoms:
For a root or admin user, if the value for Expiry-status in the backup file is not set to enabled, then config-restore fails.

Conditions:
During backup, if the "Expiry-status" value for admin or root user is not set to enabled, then restore fails with the backup.

Impact:
Database config-restore fails.

Workaround:
For admin and root user, comment expiry-status, expiry-date in the backup file and try to restore.

Fix:
Added NACM rules in ConfD for successful config-restore.

1490753-1 : A linkUp and linkDown traps are sent when an up interface is disabled, and vice versa

Links to More Info: BT1490753

Component: F5OS-A

Symptoms:
When F5OS system is configured with SNMP Targets for managing the Trap notifications, linkUp and linkDown traps will be sent when interface state is toggled.

Conditions:
Always two traps (linkUp and linkDown) will be sent even when the interface state is toggled from UP to DOWN or DOWN to UP.

Impact:
No functional impact, but when two traps are sent, the interface state over SNMP can be misleading.

Workaround:
None

Fix:
The appropriate trap, that is, linkDown trap when F5OS interface state is down and linkUp trap when F5OS interface state is up, will be sent.

1486697-1 : Configuring Expiry-status of root and admin users should not be allowed

Links to More Info: BT1486697

Component: F5OS-A

Symptoms:
Expiry-status of root and admin users are allowed to be configured and there is a chance of locking out these users.

Conditions:
If Expiry-status of any root or admin user is marked as Locked, that root or admin user cannot log in to the system.

Impact:
There is a chance that default users, such as root and admin, become locked out.

Workaround:
None

Fix:
You cannot edit the ‘Expiry-status’ field in webUI for admin and root users. Thus, it cannot be configured. The 'Expiry-status' field for root and admin users will now always display the default value as 'Enabled'.

1469925-1 : Timezone changes are not reflected in the log messages until the hardware is rebooted

Links to More Info: BT1469925

Component: F5OS-A

Symptoms:
After configuring timezone, /var/log/messages are logged with old timezone till the hardware is rebooted.

Conditions:
Configure timezone from ConfD and verify /var/log/message.

Impact:
The log messages are logged with old timezone.

Workaround:
After configuring timezone, rebooting the hardware resolves the issue.

Fix:
Added code changes to reflect the new timezone changes in /var/log/messages without rebooting the hardware.

1469385-1 : GUI freezes during LDAP user authentication if no remote GID mapped locally.

Links to More Info: BT1469385

Component: F5OS-A

Symptoms:
The LDAP remote user authentication freezes for a long time (more than a minute).

Conditions:
When trying to authenticate a remote LDAP user through the GUI without mapping any of the remote user GIDs to the F5OS local roles.

Impact:
Authentication freezes for a long period before rejecting the user.

Workaround:
One of the remote GIDs should be mapped to the local F5OS roles.

Fix:
Map the remote GID(s) to the F5OS role(s) to authenticate remote LDAP users successfully.

1466397-2 : LDAP authentication is consuming several minutes to authenticate via GUI and SSH.

Links to More Info: BT1466397

Component: F5OS-A

Symptoms:
LDAP authentication is working fine. However, authentication takes several minutes, which lacks a user-friendly experience.

Conditions:
- Configure LDAP server-group.
- Configure LDAP_ALL as an authentication-method.
- Log in using LDAP user via GUI or SSH.

Impact:
The user is forced to wait for several minutes to get the result of LDAP authentication.

Workaround:
None

Fix:
Removed unnecessary GID lookup to speed up LDAP authentication.

1441505 : iHealth upload client may fail if ConfD database is offline.

Links to More Info: BT1441505

Component: F5OS-A

Symptoms:
If the ConfD service goes offline when migrating primary key, executing the iHealth upload commands (for example, show system diagnostics ihealth), and in the event of performing any other activity, then the iHealth service may generate a core file.

Conditions:
If the ConfD service goes offline when migrating primary key, executing the iHealth upload commands (for example, show system diagnostics ihealth), and in the event of performing any other activity, then the iHealth service may generate a core file.

Impact:
A core file may be generated.

Workaround:
The iHealth client will restart if it cores. Repeat the iHealth commands after the ConfD database is up and running.

Fix:
Hardening is added in the iHealth client to avoid generating a core file in certain events.

1441425-1 : The rSeries appliance log shows "PSU voltage out value < lower limit, value=0".

Links to More Info: BT1441425

Component: F5OS-A

Symptoms:
The following message appears in the logs:
66305 psu-1 psu-fault EVENT Network Access "PSU voltage out value < lower limit, value=0" "2023-12-08 09:00:00.900082135 UTC".

Conditions:
The conditions that trigger this issue are unknown at this time.

Impact:
Users see several "PSU voltage out value < lower limit, value=0" logged messages, which could be falsely reported.

Workaround:
None

Fix:
None

1441333-1 : Rasdaemon memory leak

Links to More Info: BT1441333

Component: F5OS-A

Symptoms:
Rasdaemon will increase in size when excessive (>10000) MCE memory error events occur and may lead to system instability.

Conditions:
Likely due to memory hardware resulting in MCE errors

Impact:
System instability

Workaround:
Rebooting could be a temporary work-around if MCE rate is excessive.

Fix:
Rasdaemon version is upgraded in the current F5OS release.

1437765 : Restoration of system configuration database may fail if admin user was previously modified

Links to More Info: BT1437765

Component: F5OS-A

Symptoms:
The restoration of the System Configuration Database fails with this error:
appliance-1(config)# system database config-restore name config_database1 proceed yes
Error: access denied
Database config-restore failed.

Conditions:
In F5OS-A 1.5.1, the expiry status of the ‘admin’ user has been modified even before the System Configuration Database is saved and restored on the device that is currently installed after RMA/factory or F5OS clean install.

Impact:
Unable to restore the System Configuration Database.

Workaround:
1. In F5OS-A 1.5.1, it is recommended not to lock or modify the expiry status of the ‘admin’ user on the RMA/factory or clean installed appliance. If modified, enable the user before taking the backup.
2. Edit the System Configuration Database backup file. For the admin and root user, remove the next line which is highlighted by the arrow, then restore the configuration using the modified file:
           <username>admin</username>
           <config>
             <username>admin</username>
             <password><REMOVED></password>
             <last-change>0</last-change>
             <expiry-date>-1</expiry-date>
             <role>admin</role>
             <expiry-status>enabled</expiry-status> <---

1436373 : iHealth upload not supported on F5OS-A

Links to More Info: BT1436373

Component: F5OS-A

Symptoms:
The iHealth upload service has changed its authentication schema to OKTA, and requires a Client ID and Client Secret rather than a User ID and Password. Version 1.5.1 (and previous versions) of F5OS-A do not support this authentication schema.

Conditions:
Always

Impact:
Users will not be able to directly upload QKView files to iHealth from the appliance because of change in the authentication schema.

Workaround:
1. Use the file export feature to download the QKView from the appliance to a local PC.
2. Sign on to ihealth.f5.com.
3. Use the upload feature to upload the QKView to the iHealth service.

Fix:
Added Client ID and Client Secret in the iHealth page on webUI. User can upload QKView files to iHealth.

1436153-1 : F5OS upgrades fail when SNMP configuration contains special characters.

Links to More Info: BT1436153

Component: F5OS-A

Symptoms:
As part of some security fixes, added a special character restriction in SNMP configuration in F5OS-A 1.5.1. This resulted in an upgrade failure to 1.5.1. If an upgrade to 1.5.1 is successful, the SNMP configuration will get deleted implicitly.

Conditions:
Upgrade to 1.5.1 fails when the SNMP configuration contains any special characters. The restricted special characters are: /*!<>^,/

Impact:
If the user encounters this issue, the system will go to an inaccessible state and require a forced downgrade.

Workaround:
Delete the SNMP configuration (community, target, or user) containing special characters before performing an upgrade to 1.5.1.

Fix:
The special characters in the SNMP configuration do not inject any security issues and can have special characters. Hence, the special characters restriction is removed in F5OS-A 1.5.2 and F5OS-A 1.8.0.

1429721-1 : SCP as non-root user does not report errors correctly for bad/non-existent files.

Links to More Info: BT1429721

Component: F5OS-A

Symptoms:
Using SCP to retrieve files from F5OS as "admin" or other non-root users should report a proper error when attempting to access an invalid directory or non-existent file.

Instead, the SCP command does nothing, reports no error, and exits with an on-zero exit status.

Conditions:
Attempt to read a non-existent/inaccessible file via SCP.

Impact:
The user is not informed about the failed SCP operation and the reason for the failure.

Fix:
SCP server software now reports errors the invalid/inaccessible filenames.

1397145-2 : Unable to add blade to Openshift cluster if VELOS partition root password is expired or locked

Links to More Info: BT1397145

Component: F5OS-A

Symptoms:
If a VELOS partition root password is expired or locked, the system may be unable to add the blade to the Openshift cluster (or manage the cluster).

The "show cluster" command output will report that a blade is reachable ("able to ping"), but will not be able to connect to it ("able to SSH"):

                                                          ABLE ABLE
                                        IN READY TO TO PARTITION
INDEX NAME INSERTED CLUSTER CLUSTER PING SSH STATE LABEL
--------------------------------------------------------------------------------------------------
1 blade-1.chassis.local true false false true false Not In Cluster
2 blade-2.chassis.local true false false true false Not In Cluster
3 blade-3.chassis.local true false false true false Not In Cluster

Conditions:
-- VELOS partition
-- root account in partition is expired or locked

Impact:
- Blade will not join Openshift cluster.
- Unable to deploy Tenants to blade.

Workaround:
Re-enable the root user account for the partition:

system aaa authentication users user root config expiry-status enabled

1393269-1 : Error log: "PINGLOOP Failed to ssh to 127.0.0.1"

Links to More Info: BT1393269

Component: F5OS-A

Symptoms:
"PINGLOOP Failed to ssh to 127.0.0.1" logged in platform.log by Appliance Orchestration Manager.

Conditions:
1. root user locked with expiry status set to "locked".
2. Appliance rebooted after locking root user.

Impact:
Internal processes relying on root user may malfunction.

Workaround:
Avoid locking the root user account by not setting the expiry status to "locked".
Use appliance mode for root user lockdown.

1388945-1 : Fan speed randomly shows as '0'.

Links to More Info: BT1388945

Component: F5OS-A

Symptoms:
The fan speed is randomly and incorrectly reported as '0'.

Conditions:
Checking the sensors using GET:bmc/sensors.

Impact:
The fan speed is reported as '0'.

Workaround:
None

Fix:
This issue has been fixed, and the fan speed no longer randomly reports as '0'.

1388745-1 : Large numbers of platform-hal errors logged in platform.log: "Requested Sensor, data, or record not present."

Links to More Info: BT1388745

Component: F5OS-A

Symptoms:
The platform-hal service is intermittently logging a large number of messages similar to the following in platform.log:

appliance-1 platform-hal[8]: priority="Err" msg="Action Error" index=0 message="Requested Sensor, data, or record not present." interface="job-665402" actionKey="GET:lop/pel" jobId=665402

There may be tens of thousands of log messages in some cases.

Conditions:
The conditions that trigger this issue are unknown at this time.

Impact:
The platform.log file becomes filled up with many of these log messages, and they must be filtered out to review the logs effectively.

Workaround:
None

Fix:
None

1388477-2 : Default GID group mapping authorized even when GID mapped to different group ID

Links to More Info: K000139503, BT1388477

1381225-5 : CVE-2023-39325 - HTTP/2 rapid reset

Links to More Info: K000152389

1381205-4 : CVE-2023-39325 - HTTP/2 rapid reset

Links to More Info: K000152389

1381177-3 : CVE-2023-39325 - HTTP/2 rapid reset

Links to More Info: K000152389

1381109-2 : WS-2022-0322 - d3-color 2.0.0 package

Component: F5OS-A

Symptoms:
Versions of d3-color prior to 3.1.0 are vulnerable to a Regular expression Denial of Service.

Conditions:
N/A

Impact:
F5OS-A 1.8.0 may be affected by WS-2022-0322

Workaround:
N/A

Fix:
d3-color has been upgraded to an unaffected version.

1379845-1 : CVE-2023-3341:bind: stack exhaustion in control channel code may lead to DoS

Links to More Info: K000137582, BT1379845

1379625-4 : Changing the max-age attribute in password policy is not reflecting immediately

Links to More Info: BT1379625

Component: F5OS-A

Symptoms:
Even after setting max-age value (maximum age, in days, after which password will be expired) less than 7 days, the warning for password expiration is not displaying at the time of next login.

Conditions:
Set max-age attribute to less than 7 (days) and check if password expiration warning is prompted at the time of next login.

Impact:
Password expiration feature is not working as expected.

Workaround:
N/A

Fix:
Fix is provided to sync the max-age value, updated from ConfD CLI, with the user's password expiration attribute in the /etc/shadow on the system.

1378805-4 : Error occurs when changing LAG type for an existing LAG interface on webUI

Links to More Info: BT1378805

Component: F5OS-A

Symptoms:
On the webUI, if a LAG type changes from LACP, an error displays when that LAG type changes back to LACP.

Conditions:
The error occurs when attempting to change the LAG type on an existing LAG interface to a previously used type.

(i.e. Creating a LAG interface with type LACP, changing that type to Static, and then changing it back to LACP)

Impact:
This issue does not affect functionality; however, an unnecessary "Object Already Exist" error pop-up appears.

Workaround:
To avoid the pop-up, change the LAG type to LACP using the CLI in this scenario.

Fix:
Changing the LAG type on an existing LAG interface to a previously used type no longer triggers an error pop-up on the webUI.

1378313-3 : CVE-2020-22218: libssh2: use-of-uninitialized-value in _libssh2_transport_read

Links to More Info: K000138219, BT1378313

1366337-2 : Adding a system raid drive fails after successful removal

Links to More Info: BT1366337

Component: F5OS-A

Symptoms:
If the system is set up using bare-metal installation of F5OS-A 1.5.1, the user will not be able to add a SSD after removing an existing SSD from RAID.

Conditions:
The system must have been bare-metal installed using F5OS-A 1.5.1.

Impact:
User is unable to remove/add SSD into RAID.

Workaround:
N/A

Fix:
SSD can be added and removed from RAID.

1365985-2 : GID role mapping may not work with secondary GID

Links to More Info: BT1365985

Component: F5OS-A

Symptoms:
When a user in an external authentication system (LDAP, Radius, TACACS) is given a GID for an F5 role, and that GID is a secondary GID, the role assignment may not be discovered. This would result in the inability to access the system or be able to configure the system for that user.

Conditions:
- User in an external authentication system (LDAP, Radius, TACACS)
- GID corresponding to F5 role is a secondary GID (for example, it is not the user's default GID, rather a GID from a group to which the user belongs)

Impact:
Inability to log into the system, or inability to configure the system for the user in question.

Workaround:
The GID for the desired role should be the GID directly mapped to the user in the external authentication system (for example, in LDAP, the gidNumber on the user object should be the F5 role GID), rather than a secondary GID (for example, in LDAP, the gidNumber on a group of which the user is a member).

Fix:
All GID role mappings are properly considered when discovering role assignments for users in external authentication systems.

1365821-2 : Traffic loss of 5-10 seconds after disable/enable of LACP Lag member on r5000/r10000

Links to More Info: BT1365821

Component: F5OS-A

Symptoms:
Disabling and then re-enabling a LACP Lag member can result in traffic loss of up to 10 seconds on r5000/r10000 platforms.

Conditions:
Disable then re-enable LACP Lag member on r5000/r10000 platforms.

Impact:
Traffic loss lasting up to 10 seconds.

Workaround:
N/A

Fix:
Don't hold a mutex while processing the set of links to initialize. Make a copy of the links and release the mutex instead.

1360905-3 : Unexpected log messages in /var/log/boot.log post-integrity recovery

Links to More Info: BT1360905

Component: F5OS-A

Symptoms:
Users may observe the following inappropriate log message in /var/log/boot.log after recovering from integrity failure:

Sep 28 08:45:08 appliance-1 journal: FIPS Integrity Check: This system has been placed in an error state. Try to recover the system using /usr/libexec/ostree_recover utility or reinstall the system. On many devices pressing the escape key followed by '(' key will bring up a menu that allows the system to be restarted.

Conditions:
The integrity failure occurs when the device is in FIPS mode, and a user alters or removes a file, subsequently executing an on-demand integrity test or a boot-up integrity test.

Impact:
There are no noticeable performance issues or anomalies associated with these log messages, and the issue does not affect the overall system performance or user experience. There are no potential risks or security concerns related to the inappropriate log messages.

Workaround:
N/A

Fix:
The code has been modified to provide more user-friendly log messages.

1359897-2 : rSeries link down events can be missed

Links to More Info: BT1359897

Component: F5OS-A

Symptoms:
The rSeries platform can occasionally fail to detect a link going down due to the removal of the cable.

Conditions:
Remove fiber optic cable.

Impact:
Links that are DOWN stay operationally UP. This can lead to erroneous LACP and/or LAG state.

1355277-4 : Incorrect Vlan Listeners when a Static FDB is configured

Links to More Info: BT1355277

Component: F5OS-A

Symptoms:
When a Static FDB is configured on an interface, Vlan Listeners associated with that interface will have an extra Service ID configured for Service ID 1.

Conditions:
A Static FDB is configured on an interface.

Impact:
Extra broadcast traffic will be generated on the system, which could affect performance.

Workaround:
N/A

Fix:
N/A

1354341-3 : Changing a VLAN from trunked (tagged) to native (untagged) on a LAG in a single transaction can cause traffic outage

Links to More Info: BT1354341

Component: F5OS-A

Symptoms:
Traffic outage after changing a VLAN assigned to a LAG from Trunk to Native in a single commit.

Conditions:
Changing a VLAN assigned to a LAG from Trunk to Native in a single commit.

Impact:
Traffic outage.

Workaround:
First remove the Trunk VLAN from the LAG, then commit the change. Then add the Native VLAN to the LAG and commit the change.

1352449-7 : iHealth upload is failing with error "certificate signed by unknown authority"

Links to More Info: BT1352449

Component: F5OS-A

Symptoms:
When attempting to use the QKView upload feature, the upload may fail with the message "certificate signed by unknown authority". This is due to a recent change in certificate authority that is inconsistent between F5OS and iHealth.

Conditions:
Always, after mid-September 2023.

Impact:
Unable to upload QKView files to iHealth with a single click.

Workaround:
Users may use the File Export feature to download QKView files to their PCs, and then upload those files to iHealth.

You can find the qkview files in the GUI at System Settings :: File Utilities, then choose "diags/shared" as the base directory, then select "qkview".

Fix:
Certificate authorities used by the iHealth upload feature in F5OS will be updated.

1352421-2 : L2 services (LACP/LLDP) are down on r2000 and r4000 series appliances

Links to More Info: BT1352421

Component: F5OS-A

Symptoms:
LLDP and LACP will appear to be non-functional on the F5OS system.

LLDP/LACP PDUs reach the F5OS system, which can be verified with tcpdump.

Conditions:
-- r2000 and r4000 series appliances.
-- LLDP or LACP is configured.
-- Links are up.

Impact:
L2 protocols fail to negotiate or register inbound data.

Workaround:
Reboot.

1351529-2 : Fixing the log issue stating "UNSUPPORTED STP state" when STP global is configured

Links to More Info: BT1351529

Component: F5OS-A

Symptoms:
A log message appears, stating "UNSUPPORTED STP state" when STP global is configured to RSTP.

Conditions:
Removing the global config (initially set to STP) and setting it to RSTP.

Impact:
Reliable and correct log messages.

Workaround:
NA

1349465-4 : Partition s/w upgrade compatibility check doesn't use correct target version

Links to More Info: BT1349465

Component: F5OS-A

Symptoms:
When performing the partition database compatibility upgrade check (check-version/set-version), the check logic does not always use the correct target version. This potentially can cause the compatibility check to pass, but the actual database upgrade can fail and automatically roll back.

Conditions:
When the target partition version is a patch release (such as 1.5.1, 1.6.1), the compatibility check will use the wrong (base release) version.

Impact:
The check-version/set-version database compatibility check might pass even though the actual upgrade would fail.

Workaround:
Upgrade the controller s/w to version F5OS-C 1.6.1 or later prior to attempting upgrade to a partition patch release.

Fix:
The controller OS services uses the correct partition patch version for the compatibility check.

1348297-4 : CVE-2020-15113, CVE-2020-15114, CVE-2020-15115 - etcd Vulnerabilities

Component: F5OS-A

Symptoms:
CVE-2020-15113: A flaw was found in etcd where Certain directory paths are created with restricted access permissions (700) by using the os.MkdirAll. This function does not perform any permission checks when a given directory path exists already.

CVE-2020-15114: A flaw was found in etcd, where the etcd gateway is a simple TCP proxy that allows basic service discovery and access. However, it is possible to include the gateway address as an endpoint. This issue results in a denial of service since the endpoint can become stuck in a loop of requesting itself until there are no more available file descriptors to accept connections on the gateway. The highest threat from this vulnerability is to system availability.

CVE-2020-15115: A flaw was found in etcd, where it does not perform any password length validation, which allows for very short passwords, such as those with a length of one. This flaw allows an attacker to guess or brute-force users' passwords with little computational effort. The highest threat from this vulnerability is to confidentiality.

Conditions:
NA

Impact:
May lead to unauthorized system access, bypass of security mechanisms, or denial of service.

Workaround:
NA

Fix:
Removed unused etcd packages from F5OS

1348189-4 : CVE-2020-13790 libjpeg-turbo: heap-based buffer over-read in get_rgb_row() in rdppm.c

Component: F5OS-A

Symptoms:
libjpeg-turbo 2.0.4, and mozjpeg 4.0.0, has a heap-based buffer over-read in get_rgb_row() in rdppm.c via a malformed PPM input file.

Conditions:
N/A

Impact:
It can cause heap buffer over-read leading to crashes, denial of service, or potential information disclosure

Workaround:
N/A

Fix:
heap buffer over-read has been resolved

1338521-2 : Unable to login when accessing F5OS GUI through a network proxy on a port other than 443.

Links to More Info: BT1338521

Component: F5OS-A

Symptoms:
Users are not able to log in to the UI when trying to access F5OS GUI through a network proxy running on a port other than 443.

Conditions:
GUI should be accessed via a network proxy running on a port other than 443.

Impact:
Users are not able to log in to the GUI.

Workaround:
None

Fix:
After the fix, GUI now reads the port along with the hostname from the URL and can use the port in making API calls (including login API calls).

1332997-2 : Device stuck at "unmounting containers" after performing reboot

Links to More Info: BT1332997

Component: F5OS-A

Symptoms:
When we open the console session of any tenant on F5OS-A using virtctl console <tenant_name>.

when you reboot the system, during reboot sometimes the system might end up in "unmounting containers"

Conditions:
Open the console session to any of the tenants using virtctl utility and reboot the system.

Impact:
After rebooting, system takes time to fully start up.

Workaround:
Power off and on the system whenever the issue is hit.

Fix:
Fixed the issue related to device stuck at unmounting containers after the reboot.

1332781-4 : A remote user with the same username as the local F5OS user will be granted the local user's roles

Links to More Info: BT1332781

Component: F5OS-A

Symptoms:
If you create a remote user on the RADIUS, TACACS+, or LDAP servers with the same username as a local F5OS user, the remote user will be granted the local user's roles upon authentication.

Conditions:
A remote user is created with the same username as a local user and remote authentication is enabled.

Impact:
Remote user will take the local user's privileges.

Workaround:
Do not create a remote user with the same username as the local user. If you have created already, change the username for either the local user or the remote user.

Fix:
If a remote user is created with the same username as a local user, the remote user's authentication will be rejected. Only the local user will have access to the F5OS system.

1330717-2 : LLDP neighbors are not getting discovered

Links to More Info: BT1330717

Component: F5OS-A

Symptoms:
When a user configures LLDP at one time, the LLDP details will not show up.

Conditions:
Configure LLDP interfaces at one time.

Impact:
The "show lldp" command will not show neighbor details even if the interfaces/ports are connected to a peer switch.

Workaround:
The issue arises when all LLDP interfaces are configured at one time. However, if the LLDP interfaces are disabled and then enabled one by one, the issue is generally not observed.

Fix:
Fixed an issue with LLDP neighbors not getting discovered

1329161-3 : In non-FIPS mode, added support for the SSH-RSA host key algorithm

Links to More Info: BT1329161

Component: F5OS-A

Symptoms:
Not able to establish an SSH connection using the SSH-RSA host key algorithm in non-FIPS mode.

Conditions:
Connect to the device from the SSH client using the SSH-RSA host key algorithm in non-FIPS mode.

Impact:
The SSH connection to the device could not be established.

Workaround:
None

Fix:
Added SSH-RSA host key algorithm support in non-FIPS mode.

1328977-1 : Appliance_orchestration_manager free invalid pointer error and restart

Links to More Info: BT1328977

Component: F5OS-A

Symptoms:
Appliance Orchestration Manager fails, leading to a restart of the docker container. A core can also occur.

In /var/log/messages you see this log:

appliance-1 omd_container.sh: *** Error in `/usr/bin/appliance_orchestration_manager': free(): invalid pointer: 0x00007facdc017f10 ***

Conditions:
There are no preconditions. It is happening to memory corruption in the systems. The issue is not consistent.

Impact:
OMD restarts; this will not generally disturb the tenant's functionality.

Workaround:
None

Fix:
Fixed the issues related to memory corruptions in the appliance Orchestration Manager.

1328729 : Slow memory leak when processing tenant telemetry

Links to More Info: BT1328729

Component: F5OS-A

Symptoms:
The system will eventually run out of memory. Up until the point of service restart, the memory utilization will negatively impact running tenants, causing potential memory allocation errors.

Conditions:
When a BIG-IP tenant version </= 15.1.7 is running.

Impact:
Excessive memory utilization will impact operational performance of the F5OS and tenants.

Workaround:
The mitigation is to update a BIG-IP tenant version to 15.1.8 or newer, or to update to F5OS 1.5.1.

1328405-2 : F5OS system stopped generating tmstat snapshots

Links to More Info: BT1328405

Component: F5OS-A

Symptoms:
The F5OS system is not generating the tmstat snapshots, which helps us in diagnosing issues.

Conditions:
System is running an affected version of F5OS software (F5OS-A 1.2.0 and above, or F5OS-C 1.6.0 and above).

Impact:
Impacts the supportability of the device; the support teams usually rely on the snapshots while working on field issues.

1327701-4 : Space in SNMP community/user/target name causing snmpd container restart

Links to More Info: BT1327701

Component: F5OS-A

Symptoms:
When there is a space in any SNMP community/user/target name configuration, this will cause an F5OS snmpd service restart.

Conditions:
When there is a space in an SNMP community/user/target name configuration.

Impact:
F5OS snmpd restarts.

Workaround:
Reconfigure the SNMP community/user/target without a space in the name.

Fix:
Added a space restriction in SNMP community/user/target name configuration so the user can no longer configure with a space.

1327689-2 : Manually remove root and user keys before entering Appliance Mode

Links to More Info: K000140574, BT1327689

1327137-1 : Interfaces take longer than expected to come up

Links to More Info: K000138753, BT1327137

Component: F5OS-A

Symptoms:
-- Interfaces take longer than expected to be marked UP (40+ seconds)
-- LACP status remains down until the interfaces are marked UP

Conditions:
-- rSeries appliance
-- F5OS-A
-- 100G interfaces

Impact:
For SFP/QSFP interfaces:
-- 25G/10G interfaces take over 10 seconds to be marked UP
-- 100G interfaces take 30+ seconds to be marked UP.

Workaround:
None

1326837 : Using UI, unable to configure the account expiry date for the user as the request is not delivered to the backend.

Links to More Info: BT1326837

Component: F5OS-A

Symptoms:
Even if the user account is locked using GUI, the authentication is successful for the current user account.

Conditions:
Unable to configure the locking of a user account in the backend.

Impact:
The user account is not locked thus enabling successful authentication.

Workaround:
Added expiry-status to ConfD and UI to define an expiry date for a specific user account with "enabled", "locked", or <string>[YYYY-MM-DD] value.

Or Add expiry-status in ConfD instead of UI to configure expiry of any user account except Admin or Root user account.

Fix:
Added expiry-status to configure expiry of any user account.

1326725-4 : Unable to generate SNMP Trap for IPV6

Links to More Info: BT1326725

Component: F5OS-A

Symptoms:
Generating SNMP traps for IPv6 is not working.

Conditions:
1. Configure SNMP traps for an IPv6 address:

appliance-1# show system snmp
system snmp engine-id state engine-id 80:00:2f:f4:03:00:94:a1:38:33:02
system snmp engine-id state type mac
system snmp state port 5000
system snmp targets target v1_target
 state name v1_target
 state community c1
 state security-model v1
 state ipv6 address 2620:128:e8:49:f816:3eff:fe9:248e
 state ipv6 port 5011
            SECURITY
NAME NAME MODEL
----------------------
c1 c1 [ v1 ]


2. Try to collect SNMP traps on targeted system:

[root@testvm ~]# snmptrapd -Lof 2620:128:e008:4009:f816:3eff:fe09:248e:5011
NET-SNMP version 5.7.2

Impact:
SNMP traps for IPv6 addresses won't work.

Workaround:
N/A

Fix:
We corrected the code for generating SNMP traps for IPv6 addresses.

1326541-2 : In r2000 and r4000 systems, alarm LED is not set when there are alerts raised in the system

Links to More Info: BT1326541

Component: F5OS-A

Symptoms:
When system has any alarm, alarm LED will not be set, and diag-agent is not clearing all the alarms during the boot up.

Conditions:
Applicable for r2000 and r4000 systems.

Impact:
Alarm LED will not be set when system generates any alarm, and diag-agent will not clear all the alarms during the boot up.

Workaround:
When system generates alarms, they can be seen using ConfD.

Fix:
When system generates any alarm, alarm LED will be set and diag-agent will clear all the alarms while during the system boot up.

1326157-2 : Observed multiple containers restarting and cores generating after PXE installation

Links to More Info: BT1326157

Component: F5OS-A

Symptoms:
As a result of "permission denied" errors, some containers begin crashing after a PXE installation. Core files are also generated.

Conditions:
Seen due to a timing issue after PXE installation. Some containers come up before they can be supported.

Impact:
Containers crash or functionality is impacted. Core files are generated.

Workaround:
Modify the /var/docker/config/platform.yml with information below:

+ selinux_labeler:
+ container_name: selinux_labeler
 + image: +${platform_services_registry}/system_network:1.4.14
+ volumes:
+ - /var/F5/system:/var/F5/partition:z
+ labels:
+ f5.service.type: "system"

 identifier:
    container_name: system_latest_vers
    image: ${platform_services_registry}/system_network:1.4.14
+ depends_on:
+ - selinux_labeler

Then, restart the platform-services-deployment.service.

Fix:
Containers should not be crashing after a PXE installation now. No core files should be generated.

1324737-1 : The output of the command "ethtool --show-priv-flags" on all interfaces needs to be collected in QKView

Links to More Info: BT1324737

Component: F5OS-A

Symptoms:
Before, output from the command "ethtool --show-priv-flags" was not being collected in QKView for any of the interfaces.

Conditions:
The user generates a QKView file. The output of the command "ethtool --show-priv-flags" is missing in the 'Commands' section of the QKView.

Impact:
Having access to this command's output will help to identify if the 'vf-true-promisc-support' flag is SET/UNSET. This additional information can help the support team debug issues.

Workaround:
N/A

Fix:
Output for the command "ethtool --show-priv-flags" is now collected for each interface in the 'Commands' section of QKView.

1322817-4 : BIND vulnerability CVE-2023-2828

Links to More Info: K000135312, BT1322817

1320637-3 : DMA Agent crash after SEP file mapping error

Links to More Info: BT1320637

Component: F5OS-A

Symptoms:
When DMA Agent is unable to map the SEP block for a newly deployed tenant it may crash during shutdown.

Conditions:
Insufficient resources to deploy the tenant.

Impact:
The crash occurs on shutdown, it has no impact.

Workaround:
None

Fix:
DMA Agent does not crash after a SEP mapping failure.

1317793-1 : F5OS qat-support-pod service crashed with SIGBUS error

Links to More Info: BT1317793

Component: F5OS-A

Symptoms:
Sometimes, a script inside qat-support-pod cannot handle when it gets a SIGBUS signal.

Conditions:
Intermittently seen without any specific conditions.

Impact:
No functional impact, only a core file gets generated.

Workaround:
N/A

Fix:
We haven't seen this issue since the fix went in. However, since there isn't a specific use case to repro, the exact scenario can't be tested.

1316097-3 : LAGs not programmed when adding VLAN to LAG

Links to More Info: BT1316097

Component: F5OS-A

Symptoms:
Traffic from a LAG is not reaching the tenant.

Conditions:
1) Add a VLAN to a LAG and add that VLAN to a tenant in the same commit.

2) Configuration read following blade reboot.

Impact:
LAGs are not programmed; traffic doesn't reach tenant.

Workaround:
Workaround for condition (1): Add the VLAN to the LAG, commit; then add the VLAN to the tenant.

Fix:
Fix usage of mutexes to prevent deadlock with LAG programming is happening in parallel with VLAN programming.

1315149-4 : Users authenticated via TACACS+ cannot log in via serial console

Links to More Info: BT1315149

Component: F5OS-A

Symptoms:
If remote authentication is configured to use TACACS+, users authenticated via TACACS+ cannot log in via the system serial console.

SELinux errors in /var/log/audit/audit.log similar to the following:

type=AVC msg=audit(1691528610.427:121): avc: denied { name_connect } for pid=13249 comm="login" dest=49 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0

Conditions:
-- TACACS+ remote authentication.
-- Attempting to log in to system via serial console.

Impact:
Only locally-defined users can log in to the system via serial console.

Workaround:
Configure the SELinux policy to allow this traffic. On a VELOS chassis, these instructions must be run on each system controller separately.

1. Connect to the F5OS system via SSH as root.

2. Examine the SELinux audit denials and confirm all of them are associated with traffic that should be allowed:

grep 'denied.*name_connect.*comm="login"' /var/log/audit/audit.log > /root/login-audit-denials.log
cat /root/login-audit-denials.log

Remove entries from the file /root/login-audit-denials.log that you do not want to allow.

3. After confirming the contents of the file /root/login-audit-denials.log, run the following commands to create and install an SELinux policy to allow that traffic:

audit2allow -M login.allowtacacs < /root/login-audit-denials.log
semodule -i login.allowtacacs.pp

Fix:
A missing SELinux exception has been added. Users authenticated via TACACS+ are now able to log in via serial console without having to manually add the exception or turning off SELinux.

1315121-1 : Key migration failure and potential corruption updating to 1.5.0 or later with deployed tenants

Links to More Info: BT1315121

Component: F5OS-A

Symptoms:
When setting a new primary key after upgrading from an older release (such as 1.1.1 or older), where tenants are deployed, to 1.5.0 or newer, the key migration may fail.

The migration failure may cause configuration database corruption for the entire system.

Conditions:
Tenants are deployed on release 1.1.1 or older. Upgrade to 1.5.0 or newer (including through intermediate upgrades, such as 1.1.1 -> 1.3.2 -> 1.5.1). Set new primary key.

Impact:
Setting a new primary key may fail. When this failure occurs, system configuration corruption may occur.

Workaround:
Mitigation to prevent failure:
- Change all tenants to the configured state
- Set a new primary key
- Wait for key migration to complete
- Return tenants to deployed state.

Recovery for corruption:
- Reset device to default configuration
- Set the primary key to the known primary key for a known-good backup
- Restore with known-good backup

Fix:
Fix known causes of database corruption on primary key migration failure. While the primary key configuration may still fail if tenants are in deployed state, it should no longer cause system corruption.

1315065-4 : RSA-1024 SSH public keys should not be allowed in FIPS mode

Links to More Info: BT1315065

Component: F5OS-A

Symptoms:
When logging into an F5OS or BIG-IP system that is in FIPS mode, RSA-1024 SSH public keys should not be allowed to make the connection. Users should instead be prompted for a password.

Conditions:
User creates a RSA-1024 SSH public key and uses it to connect to the system, while the system is in FIPS mode.

Impact:
The user is allowed to authenticate with the key, which should not be allowed.

Workaround:
N/A

Fix:
Users cannot authenticate with a RSA-1024 SSH public key while the system is in FIPS mode.

1314917-2 : Command "show system health components component psu-2" results in errors

Links to More Info: BT1314917

Component: F5OS-A

Symptoms:
When a second PSU is added to an R2/R4 device, the system health does not show psu-2 as a known component.

Conditions:
After inserting a second PSU, if a power cycle or system reboot happens, sometimes diag-agent as diag-agent is not completely up; it is missing the bmc-events generated for PSU presence and updating as not present.

Impact:
This will cause diag-agent to update the PSU as not present, and it will not be shown in "show system health".

Workaround:
Provided below platform-hal psf action as work around, which will generate bmc-events for psu-presence again.

docker exec -ti platform-hal psf run POST:bmc/rearm-sensor-events sensorNumber=1
docker exec -ti platform-hal psf run POST:bmc/rearm-sensor-events sensorNumber=2

Fix:
Updated diag-agent to initiate bmc re-arm sensors only once diag-agent is up properly, so that it does not miss any bmc-events.

1314453-1 : Datapath is broken when LAG type is changed from LACP to Static on r2000/r4000 platforms

Links to More Info: BT1314453

Component: F5OS-A

Symptoms:
After changing the LAG type to Static, the datapath on the BIG-IP tenant starts failing and the BIG-IP tenant reports the LAG is DOWN.

Conditions:
-- r2000 and r4000 platform
-- The LAG type is changed from LACP to Static.

Impact:
Datapath is completely broken while using the LAG configured.

Workaround:
Bring the members of the LAG DOWN and back to UP:

interfaces interface <ifc name> config admin disable
interfaces interface <ifc name> config admin enable

Fix:
Datapath no longer breaks when changing the LAG type from LACP.

1313329-2 : Downloaded F5OS ISO file missing after reboot

Links to More Info: BT1313329

Component: F5OS-A

Symptoms:
The system deletes the ISOs which are not verified. If a user reboots the system while an ISO import in progress, the ISO "fails" the verification and is deleted.

Conditions:
Seen if a user reboots the system while an ISO import is in progress (e.g. verifying state).

Impact:
ISO file will be deleted.

Workaround:
Download the ISO again and wait until it has been verified to reboot.

Fix:
There is no longer an issue with rebooting the system while an ISO import is in progress.

1312169-2 : User expiration is not configurable nor viewable on the webUI

Links to More Info: BT1312169

Component: F5OS-A

Symptoms:
User expiration is not configurable nor viewable on the webUI.

Conditions:
Trying to configure/view user expiration on webUI.

Impact:
The user cannot view or modify the expiry information for a system user account.

Workaround:
The expiry information for a user account can be viewed or configured at CLI.

Fix:
On the webUI the "Account Locked" widget will be replaced by the "Expiry Status" configuration which will allow locking the user in a similar fashion as the CLI.

1311953-1 : Platform-services-deployment service does not come up when system reboots early after PXE install

Links to More Info: BT1311953

Component: F5OS-A

Symptoms:
Observed that platform-services-deployment service fails to come up if the system reboots while image import is in-progress after a system PXE install.

Conditions:
Issue only happens after PXE install if the system reboot is triggered while image import is in-progress. The platform-services-deployment startup script was not waiting long enough to setup the env_var file by sw-mgmt.

Impact:
Platform-services-deployment does not come up for the system.

Workaround:
N/A

Fix:
Implemented retry mechanism in platform-services-deployment startup script which will wait for the env_var file setup by sw-mgmt service.

1311049-1 : For a system that has interfaces with 1GB speed, the network tab on the webUI dashboard is not showing all information

Links to More Info: BT1311049

Component: F5OS-A

Symptoms:
If a system has an interface with a speed of 1GB, when the user opens the Network tab on the webUI dashboard, the data that is supposed to be shown on the system graphic (such as interface speed and operational status) are not shown.

Conditions:
A system that has an interface with 1GB speed.

Impact:
The system graphic on the Network tab of the webUI dashboard is not showing interface information.

Workaround:
N/A

Fix:
Now the code is made to handle any port speed coming from the back-end response.

1306869-1 : CVE-2021-44716 in golang.org/x/net-v0.0.0-20201021035429-f5854403a974

Component: F5OS-A

Symptoms:
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
net/http in Go has been upgraded to a non-vulnerable version.

1306861-1 : CVE-2022-30633 in golang.org/x/net-v0.0.0-20201021035429-f5854403a974

Component: F5OS-A

Symptoms:
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows a user to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.

Conditions:
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4

Impact:
N/A

Workaround:
N/A

Fix:
Go has been updated to a non-vulnerable version.

1306773-1 : CVE-2022-27664 in golang.org/x/net-v0.0.0-20201021035429-f5854403a974

Component: F5OS-A

Symptoms:
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
Go has been updated to a non-vulnerable version.

1306749-1 : CVE-2022-28131 in golang.org/x/net-v0.0.0-20201021035429-f5854403a974

Component: F5OS-A

Symptoms:
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows a panic due to stack exhaustion via a deeply nested XML document.

Conditions:
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4

Impact:
This may cause a panic due to stack exhaustion via a deeply nested XML document.

Workaround:
N/A

Fix:
Go has been updated to a non-vulnerable version.

1306649-1 : Rapid removal and re-insertion of 10G optics may result in link failure

Links to More Info: BT1306649

Component: F5OS-A

Symptoms:
An interface link remains down.

Conditions:
Removing and re-insertion of the SFP module within a few seconds.

Impact:
Interface link remains down.

Workaround:
There are two workarounds:
1. After removing the SFP module, wait for 2 to 3 minutes before re-inserting the SFP module. This may not work 100% of the time.
2. Reboot the appliance.

1305909 : iHealth upload not supported on F5OS-A

Links to More Info: BT1305909

Component: F5OS-A

Symptoms:
The iHealth upload service has changed its authentication schema to OKTA, and requires a Client ID and Client Secret rather than a User ID and Password. Version 1.5.1 (and previous versions) of F5OS-A do not support this authentication schema.

Conditions:
Always

Impact:
Users will not be able to directly upload QKView files to iHealth from the appliance because of change in the authentication schema.

Workaround:
1. Use the file export feature to download the QKView from the appliance to a local PC.
2. Sign on to ihealth.f5.com.
3. Use the upload feature to upload the QKView to the iHealth service.

Fix:
Added Client ID and Client Secret fields in the iHealth page on webUI. User can upload QKView files to iHealth.

1305005-3 : Error handling in F5OS file-download API

Links to More Info: BT1305005

Component: F5OS-A

Symptoms:
Upon file download failure, API is returning an Apache error page that isn't an F5OS-specific error and isn't aligned with other F5OS API errors. This is a negative user experience.

Conditions:
Due to unhandled errors, when data not in the FormData format are passed through a Curl request, an Apache error page is thrown, misaligning from other F5OS APIs errors.

Impact:
There is no functional impact. It is a negative user experience.

Workaround:
N/A

Fix:
All errors are handled in the file-download API and aligned with other F5OS APIs errors with no more Apache error pages in error cases.

1304765-2 : A remote LDAP user with an admin role is unable to make config changes through the F5 webUI

Links to More Info: BT1304765

Component: F5OS-A

Symptoms:
When a remote user's GID is mapped to the F5OS system's local GID, the GID mapping is not parsed correctly by the system. If the remote GID is known to the F5 system, there is no issue. For example, a mapping of the form 9000:9000 works fine. However, mapping of the form 5555:9000, 6666:9000 etc. will not work.

Conditions:
Local GID is being mapped to a remote GID.

Impact:
The admin user mapped to a remote GID cannot access the ConfD config mode.

Fix:
Update the system to the version with the fix.

1304657-1 : Tcam-manager does not support all the possible system network subnets

Links to More Info: BT1304657

Component: F5OS-A

Symptoms:
The connection from the tenant (TMM) to the tcam-manager is continuously restarts.

tcam-mgr logs show the wrong tenant-id and hence rejected connection from the tenant:

msg="INFO" MSG="Connection from client address:10.245.3.1".
msg="ERROR" MSG=" Confd access error obtaining tenant info for tenant:12291 slot:1".
msg="INFO" MSG="neuron_handle_responses: dropping resp to non-existent client".

TMM periodically logs neuron client errors, such as:

notice hudproxy_neuron_client_closed_cb: Neuron client connection terminated
notice pva_sc_frs_neuron_stopped_cb/2373: FRS SC: Neuron client stopped.

Conditions:
The 'system network' configuration is changed from its default setting in F5OS to an affected RFC1918 subnet.

Impact:
TCAM based features don't work.

Workaround:
Select either the default RFC6598 subnet or any of the unaffected RFC1918 subnets (prefix: 0, 4, 8, 12).

Fix:
Tcam-manager now correctly calculates the tenant-id for all possible system network subnets.

1301837-3 : A remote admin user is not able to enter the ConfD config mode when logged in from SSH

Links to More Info: BT1301837

Component: F5OS-A

Symptoms:
When a remote user's GID is mapped to the F5OS system's local GID, the GID mapping is not parsed correctly by the system. If the remote GID is known to the F5 system, there is no issue. For example, a mapping of the form 9000:9000 works fine. However, mapping of the form 5555:9000, 6666:9000 etc. will not work.

Conditions:
Local GID is being mapped to a remote GID.

Impact:
The admin user mapped to a remote GID cannot access the ConfD config mode.

Workaround:
No workaround.

Fix:
Update the system to the version with the fix.

1301169-1 : K3S goes down when OMD is restarted

Links to More Info: BT1301169

Component: F5OS-A

Symptoms:
K3S went down and failed to come up when OMD restarted due to memory corruption.

Conditions:
This is caused by not having essential flags in the system.
The appliance OMD is dependent on the flags inside /var/omd directory.

Impact:
When K3S goes down, the cluster is down, which results in service down.

Workaround:
When the cluster goes down due to missing flags, it can be brought back up by clearing the stale flags and tokens. Please contact F5 Support.

Follow instructions in https://my.f5.com/manage/s/article/K08061420

Fix:
1. Logs are in place if the /var/omd/ flags gets deleted or added.

2. Cluster will come up even if it is going to a bad state.

1300805-1 : Allowing the tenant configuration with more memory than max memory in the appliance

Links to More Info: BT1300805

Component: F5OS-A

Symptoms:
This will not have any functional impact.
Tenant configuration will be accepted but the tenant won't be up. And we see a failure message in "show tenants" with resource allocation failed.

Conditions:
Configuring the tenant with the memory that is beyond the max limit.

Impact:
It is the faulty config for the tenant. No impact on the existing/running tenants.

Workaround:
Delete the config and re-configure with valid memory.

1300749-2 : Syslog target files do not use the hostname configured via system user interface.

Links to More Info: K000135373, BT1300749

Component: F5OS-A

Symptoms:
Syslog target files, for example: /var/F5/system/log/platform.log, use a fixed nodename (appliance-1) for every device as a hostname.

Conditions:
Viewing syslog files, especially on a remote syslog server.

Impact:
In a remote log collector, source IPs are the only way to differentiate among devices.

Workaround:
It is possible to do an iRule workaround that replaces custom strings in syslog traffic depending on the client's IP address. This iRule is applied to the virtual server on another LTM that consumes the syslog traffic and load balances.


when CLIENT_DATA {
   switch [IP::client_addr] {
       "10.10.10.10" { UDP::payload replace 38 11 "ABCDC01F5OS01" }
       "10.10.10.20" { UDP::payload replace 38 11 "ABCDC01F5OS02" }
       }
}

Below is the example message after irule workaround.

Jul 31 03:33:50 10.10.10.10 2023-07-31T07:33:50.181136+00:00 appliance-1 lacpd[1]: priority="Info" version=1.0 msgid=0x3401000000000046 msg="" info_str="check_if_op_modify(): new oc_if_enabled: 0 (1:Enabled 2:Disabled ... )".

to this

Jul 31 06:00:01 10.10.10.10 2023-07-31T10:00:01.356324+00:00 ABCDC01F5OS01 lacpd[1]: priority="Info" version=1.0 msgid=0x3401000000000046 msg="" info_str="check_if_op_modify(): new oc_if_enabled: 1 (1:Enabled 2:Disabled ... )".
Jul 31 06:00:04 10.10.10.20 2023-07-31T10:00:04.983677+00:00 ABCDC01F5OS02 lacpd[1]: priority="Info" version=1.0 msgid=0x3401000000000046 msg="" info_str="check_if_op_modify(): new oc_if_enabled: 0 (1:Enabled 2:Disabled ... )".

Fix:
Infrastructure to use the system hostname user configuration in the syslog target logs has been added with the setting 'system logging config include-hostname'. It is enabled by default, and can be turned off if old behavior is preferred.

1298329-2 : F5OS tcpdump capture fails to run after F5OS software downgrade★

Links to More Info: BT1298329

Component: F5OS-A

Symptoms:
SELinux shared label set by identifier container for the common path shared across all the containers. This issue started when node-agent container was introduced without dependency.

The system repeatedly logs this message to the platform log:

  tcpdumpd-manager[8]: priority="Crit" version=1.0 msgid=0x5406000000000018 msg="[] global_dmaa_comm init_comm failed ret:" this=0x17c6b50 ret=3.

Attempting to run an F5OS tcpdump fails with the following error:

  appliance-1# system diagnostics tcpdump -nni 3.0 tcp
  running /usr/sbin/tcpdump -nnn "-nni" "3.0" "tcp"
  tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
  listening on 3.0, link-type EN10MB (Ethernet), capture size 262144 bytes
  errbuf ERROR:INIT error, line-dma-agent init returned fatal status, packets cannot be captured
  tcpdump: pcap_loop: INIT error, line-dma-agent init returned fatal status, packets cannot be captured
  0 packets captured
  0 packets received by filter
  0 packets dropped by kernel

Conditions:
This issue seems to occur when downgrading a system to an affected version.

Impact:
Tcpdump capture fails.

Workaround:
This issue can be resolved by doing the following:

1. Log into the system as root
2. Edit /var/docker/config/platform.yml
3. Locate the configuration for 'tcpdumpd-manager', and replace the volume that reads:
      - /var/F5/system:/var/tcpdump:z
with:
      - /var/F5/system:/var/tcpdump
4. Save the file
5. Reboot the appliance

Fix:
Root cause of this issue was fixed as part of ID1326157.

1298021-3 : CVE-2023-2253: DOS attack possible using massive string arrays in golang

Links to More Info: K000151459, BT1298021

1297665-1 : Occasionally diagnostic agent reports as unhealthy for unpopulated PSU_Slot in health summary and ihealth reports

Links to More Info: BT1297665

Component: F5OS-A

Symptoms:
Diagnostic agent reports as unhealthy for unpopulated PSU_Slot in ihealth reports and "show system health summary" output.

Conditions:
Occurs only when any empty PSU slots are in the system and diagnostic agent receives PSU Input State events in different order.

Impact:
It causes diagnostic agent to report as unhealthy for PSU on the unpopulated slot in health summary.

Workaround:
N/A

1296997-2 : Large core files can cause system instability

Links to More Info: BT1296997

Component: F5OS-A

Symptoms:
When a system generates and stores large core files, it can cause the system unstable.

Conditions:
F5OS generates a large core file.

Impact:
F5OS core-writing script does not check filesystem availability before writing a core file and can fill up the filesystem, causing catastrophic system instability until disk-space is reclaimed.

For more information of other impacts see
1185577 - F5OS-A memory leak in ImageAgent process on rSeries hosts may affect tenant performance or lead to unexpected restarts of tenant or host
https://cdn.f5.com/product/bugtracker/ID1185577.html

1284705 - Appliance Orchestration Manager core file may consume entire root filesystem
https://cdn.f5.com/product/bugtracker/ID1284705.html

1290949 - Invalid memory read in appliance orchestration manager
https://cdn.f5.com/product/bugtracker/ID1290949.html

1327701 - Space in SNMP community/user/target name causing snmpd container restart
https://cdn.f5.com/product/bugtracker/ID1327701.html

Workaround:
None

Fix:
F5OS now takes into account the available filesystem space before writing a core file. If the core file is too large then it will be truncated and deleted to maintain system stability. The system log message will indicate if the core file was too large to safely write.

1296525-2 : qkview may capture log files truncated in a reverse way

Links to More Info: BT1296525

Component: F5OS-A

Symptoms:
qkview captures log files, but may truncate them if too large (greater than 100 MB). A regression was introduced such that the most recent log entries would be truncated rather than the oldest.

Conditions:
Collection of qkview.

Impact:
Log entries may be missing in qkview capture.

Workaround:
When running a qkview capture, specify the maxfilesize argument to 1000 (1 GB).

system diagnostics qkview capture maxfilesize 1000

Fix:
QKview now collects the tail end of log files.

1295657-1 : ARP probes to rSeries management IP are answered by both mgmt and mgmt0-system

Links to More Info: BT1295657

Component: F5OS-A

Symptoms:
Intermittent management connectivity issues.

Conditions:
ARP probers to rSeries mgmt-ip.

Impact:
Intermittent management connectivity issues.

Workaround:
A temporary workaround is to update the arp-related kernel paraments on the mgmt interface.

sysctl -w net.ipv4.conf.mgmt.arp_ignore=2
sysctl -w net.ipv4.conf.mgmt.arp_announce=1
sysctl -w net.ipv4.conf.mgmt.rp_filter=1

1294581-2 : WebUI header shows FQDN for IP address field instead of management IP

Links to More Info: BT1294581

Component: F5OS-A

Symptoms:
The IP Address field displayed on the login page and on the top section of the GUI displays the hostname, not the IP address.

Conditions:
Accessing the F5OS GUI via the FQDN and not the IP address.

Impact:
There is no impact on functionality but the FQDN is displayed, not the management IP.

Workaround:
To view the management IP address, navigate to the Management IP screen.

Fix:
Login using FQDN shows the IP address on the header instead of the FQDN. Additionally, the IP address label on the login screen is renamed to Address.

1294341-1 : The system freezes if abruptly rebooted during software upgrade process.

Links to More Info: BT1294341

Component: F5OS-A

Symptoms:
The system software upgrade process freezes infinitely if the system rebooted abruptly.

Conditions:
This issue occurs if the system is rebooted abruptly when the software upgrade is triggered.

Impact:
Not able to perform upgrade/downgrade to other build as the process is frozen in upgrade state.

Workaround:
None

Fix:
It is possible to upgrade/downgrade to a new build even after the system is frozen due to an abrupt reboot.

1293305-2 : LAG interface status is not updated on the BIG-IP tenant

Links to More Info: BT1293305

Component: F5OS-A

Symptoms:
Symptom 1: Trunk is down in tenant but the LAG is up in F5OS-A.
Symptom 2: LAG is down in F5OS-A but the trunk is up in tenant.
Symptom 3: LAG is down in VELOS partition but the trunk is always up in tenant.

Conditions:
For symptom 1:
1. Set up new rSeries device.
2. Config static LAG and VLAN.
3. Deploy new tenant.
4. In tenant, LAG will be shown as down but interfaces shown as up.
5. This happens only at initial tenant deployment.

For symptom 2:
1. LAG is shown as down in F5OS-A.
2. Trunk is shown as up in tenant.

For symptom 3:
1. LAG is shown as down in VELOS partition.
2. Trunk is always shown as up in tenant.

Impact:
Symptom 1:
On r2x00/r4x00 platforms, as LAG will be in DOWN state, datapath will not be working.

Symptom 2:
On r2x00/r4x00 platforms, LAG status is shown as UP but it's actually DOWN on the platform. Datapath will not be UP, but as LAG is UP in tenant we expect Datapath to be UP.

Symptom 3:
If trunks are used for HA Group the scores associated to the trunks are not deducted from the overall health scores regardless of whether the interfaces in the trunks are up or not.

Workaround:
For symptom 1:
Restarting "system_api_svc_gateway" service on host.
#docker restart system_api_svc_gateway

For symptom 2:
Restarting "system_api_svc_gateway" service on host.
#docker restart system_api_svc_gateway

For symptom 3:
Restarting "partition_api_svc_gateway" on blades have no effect. Request an EHF on VELOS controller and partition/s.

1292405-1 : CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base64

Links to More Info: K000137702, BT1292405

1291461-3 : LCD shutdown does not work on r2800 and r4800 platforms

Links to More Info: BT1291461

Component: F5OS-A

Symptoms:
In F5OS-A versions 1.4.0 and later, the button on the LCD menu that is used to shut down the system, when pressed, does not shutdown the system.

Conditions:
With F5OS-A 1.4.0 or later installed, from the LCD touchscreen, click the System button. Select Shutdown from the menu. Click the Shutdown button at the 'Shutdown the system?' prompt.

Impact:
The LCD touchscreen is lacking functionality the user is expecting it to have.

Workaround:
In an external terminal, connect to the unit's AOM. Select P for "Power on/off host subsystem", and then 0 for "Turn host subsystem off". Or, if the system is off, 1 for "Turn host subsystem on"

Fix:
Going into the AOM menu and powering off or powering on the system works as expected and achieves the same thing as using the LCD Shutdown button.

1290949-1 : Invalid memory read in appliance orchestration manager

Links to More Info: BT1290949

Component: F5OS-A

Symptoms:
"Invalid read" identified in OMD.
During "show cluster events" we are hitting the code flow, where the ConfD API is reading the freed memory. It is leading to an invalid read.

Conditions:
Executing "show cluster events".

Impact:
Using a freed memory may cause unexpected behavior in the system.

Workaround:
N/A

Fix:
Code changes to address memory violations in the code.

1290941-1 : LLDP/STPD/LACPD in rSeries is flooding SEP_POLLERR when dma-agent restarts

Links to More Info: BT1290941

Component: F5OS-A

Symptoms:
Below log is flooded in platform.log when dma-agent restarts
"SEP library in ERR state, sep_client_poll() returns SEP_POLLERR".

Conditions:
dma-agent restart.

Impact:
l2 functions such as LLDP/STPD/LACPD will be affected.

Workaround:
Reboot the device.

Fix:
Fixed code from flooding logs.

1290617-2 : Display option "universal-time" is not supported

Links to More Info: BT1290617

Component: F5OS-A

Symptoms:
The display option "universal-time" is a built-in third-party command that F5OS does not support.

Conditions:
User attempts to access the built-in third-party command "universal-time."

Impact:
The correct output for "universal-time" is not displayed. Proper documentation for this third-party command also cannot be found.

Workaround:
N/A

Fix:
F5OS has suppressed this display option.

1290053-1 : VELOS Software version may not be collected consistently across platform by QKView

Component: F5OS-A

Symptoms:
The QKView version format is different as collected by F5OS-A and F5OS-C, and this is reflected when the QKView is displayed by the iHealth service.

Conditions:
This always occurred when capturing a QKView.

Impact:
Occasional parsing difficulties on the iHealth service.

Workaround:
Examine the /etc/PRODUCT file contained in file collection for the host subpackage.

Fix:
Version information format as reported in the manifest.json file within a QKView is now consistent between F5OS-A and F5OS-C.

1289633-2 : FIPS devices show incorrect vCPUs

Links to More Info: BT1289633

Component: F5OS-A

Symptoms:
1. The Dashboard System Summary shows 36 vCPUs rather than the actual number of vCPUs available for Tenant Deployment.
2. The Add/Edit Tenant deployments screen allows selecting up to 36 vCPUs instead of the maximum vCPUs that the platform supports.

Conditions:
FIPS device.

Impact:
No functional impact.

Workaround:
Users can view the correct value for total vCPUs for tenant deployment on the device from the CLI using the following command:

"show cluster nodes node node-1 state node-info"

Fix:
vCPUs information will show appropriately on the dashboard based on the platform support, and Add/Edit Tenant deployment screen will have vCPU options up to the maximum that the platform supports and not beyond that.

1289029-3 : Toggling lag-type can sometimes cause an F5OS LACP aggregation to pass traffic while the peer does not have LACP configured.

Component: F5OS-A

Symptoms:
An F5OS LACP aggregation can sometimes allow traffic to pass when it should not.

Conditions:
1) With peer devices that cause link status to flap on aggregation configurations: Toggle F5OS aggregation lag-type from LACP, to STATIC. Toggle peer aggregation from LACP to STATIC. Toggle F5OS aggregation lag-type from STATIC to LACP.

2) Create an aggregation interface with STATIC lag-type, change the lag-type to LACP, then create a lacp interface. Configure the peer aggregation as a STATIC aggregation.

Impact:
Traffic will pass on an aggregation when LACP has not negotiated for affected interfaces.

Workaround:
Disable, then enable affected interfaces.

Fix:
Under no scenario will traffic pass on an interface in a LACP aggregation that has not negotiated LACP with its peer.

1288937-2 : Interface persists with removed VLAN

Links to More Info: BT1288937

Component: F5OS-A

Symptoms:
When a VLAN is deleted while being referenced by an interface or LAG, it cannot be de-referenced from the interface/LAG.

Conditions:
Delete the VLAN before removing the VLAN from the interface.

Impact:
Cannot add the interface to a LAG after deleting VLAN(s) that used the interface.

Workaround:
Recreate the removed VLAN, then edit the interface which shows defined VLAN, remove the defined VLAN, then remove the recreated VLAN.

Fix:
With the fix, the user will be able to view and remove the VLAN in the Add/Edit Interface/LAG screen even if the VLAN was deleted, and thus will be able to detach it from the interface/LAG.

1286285-3 : ISO with special characters in name will not import

Links to More Info: BT1286285

Component: F5OS-A

Symptoms:
An ISO named with special characters like "()" will not be imported and gets deleted from the import directory silently.

Conditions:
Only when the ISO name contains special characters.

Impact:
User will not have any status on the imported image with a name that contains special characters.

Workaround:
No workaround.

Fix:
The "show system image" API will display the status as "Import error. File name is incorrect."

1286165-1 : Ping failing after removing aggregate ID from interface and adding trunk VLANs in the same commit

Links to More Info: BT1286165

Component: F5OS-A

Symptoms:
Ping to self IP of tenant failing.

Conditions:
This issue will be observed only when tried from F5OS ConfD CLI.

Removing aggregate ID and assigning trunk VLANs to an interface in the same commit from ConfD CLI.

Impact:
Ping to self IP of tenant will fail.

Workaround:
From F5OS CLI
1)Remove aggregate ID from interface.
2)commit the changes.
3)Add trunk VLANs to interface and commit the changes.

For example:
1)no interfaces interface 3.0 ethernet config aggregate-id
2)commit; top
3)interfaces interface 3.0 ethernet switched-vlan config trunk-vlans [ 3700 3800 3900 ]
4)commit

Fix:
NA

1285969 : Some aggregation interface names can cause ethernet interfaces in LACP aggregations to be erroneously down

Links to More Info: BT1285969

Component: F5OS-A

Symptoms:
One or more interfaces in LACP aggregations may be considered down when they should not be.

Conditions:
Internally, LACPD hashes interfaces to an integer, and some aggregation interface names hash will collide with ethernet interface name hash. Changes to the these aggregation interfaces can impact the ethernet interface.

Impact:
Traffic through the affected ethernet interface in LACP aggregations may be disrupted. This can cause either degraded performance or traffic failure for LACP aggregations that the interface is a member of.

Workaround:
Only use aggregation interface names that don't hash to the same port numbers as ethernet interfaces.

In order to determine if an existing aggregation interfaces port number conflicts with an ethernet interface, review the lacpd_interface_stat table.

For a VELOS partition, use the lacpd container on any blade in the partition to run tmctl.
For an appliance, use system_lacpd container to run tmctl.

The following example from a rSeries appliance shows the aggregation interface "vlag" with the same port number as interface 1.0

[root@appliance-1 ~]# docker exec -it system_lacpd bash

[root@appliance-1 partition]# tmctl lacpd_interface_stat -s name,port_num
name port_num
---- --------
1.0 1024
10.0 10240
2.0 2048
3.0 3072
4.0 4096
5.0 5120
6.0 6144
7.0 7168
8.0 8192
9.0 9216
mgmt 43008
vlag 1024

If an aggregation interface hashes to the same port number an Ethernet interface:

1. Delete the conflicting aggregation interface

2a. You can either restart the lacpd containers

    or

2b. Reboot the appliance, or for VELOS reboot each blade in the partition.

Fix:
Aggregation interface names will never impact ethernet interfaces in a LACP aggregation.

1285669-3 : CVE-2022-21216 - Intel BIOS vulnerabilities on r2000/r4000 and r5000/r10000/r12000

Links to More Info: K000133432

1285149-3 : Patch releases report the wrong version in various log files.

Links to More Info: BT1285149

Component: F5OS-A

Symptoms:
F5OS-A patch files are not correctly set for patch versions.

Conditions:
Patch version release.

Impact:
Patch releases falsely report it as a non-patched release in log files.

Workaround:
None

Fix:
None

1284681-3 : IPv6 connections made through port 80 fail

Links to More Info: BT1284681

Component: F5OS-A

Symptoms:
IPv6 connections made through port 80 are failing as there are no NAT rules present for port 80.

Conditions:
Issue is observed in all conditions.

Impact:
IPv6 connections through port 80 will fail.

Workaround:
N/A

Fix:
Added a NAT rule for port 80 which allows IPv6 connections.

1284389-1 : Show system health reports unhealthy during bootup

Links to More Info: BT1284389

Component: F5OS-A

Symptoms:
In FIPS supported hardware, during the device boot-up, show system health report shows unhealthy due to fips-state reports -1 during boot-up.

Conditions:
-- during boot-up
-- FIPS partition not initialized

Impact:
No functionality impact, it's a cosmetic issue and reports unhealthy in confd and logging.

Workaround:
None

Fix:
While the device is booting, the fips state starts with -1 and it shows unhealthy till the device completely boots up, but actually, the -1 state is not initialized, so updated the code that, don't report the -1 state as unhealthy.

1284269-1 : Config restore fails if it contains an SNMP user

Links to More Info: BT1284269

Component: F5OS-A

Symptoms:
Error when restoring the config

appliance-1(config)# system database config-restore name with.mgmt.snmpuser.xml
A clean configuration is required before restoring to a previous configuration.
Please perform a reset-to-default operation if you have not done so already.
Proceed? [yes/no]: yes
Error: access denied
Database config-restore failed.

Conditions:
Backup contains an SNMP user.

Impact:
Cannot restore configuration.

Workaround:
There are two possible workarounds.

Workaround 1:
- Edit the configuration backup and remove the SNMP user related configuration.
- Restore the backup

Workaround 2:
- Create a SNMP user in device before restoring backup.
- Restore the backup

Fix:
Issue is fixed. Now the user can take a configuration backup and restore it, even with an SNMP user configured.

1284193-1 : GRUB2 vulnerability CVE-2022-28733, Samba vulnerability CVE-2021-20277, DHCP vulnerability CVE-2021-25217

Links to More Info: K000132893, BT1284193

1283641-1 : Docker network is not updating as part of internal IP ranges configurations

Links to More Info: BT1283641

Component: F5OS-A

Symptoms:
Docker network needs to be updated as per network-range-type.

Conditions:
Configuring the network-range type is not affective on docker network.

Impact:
This bug causes docker network to not update as per network-range-type.

Workaround:
Edit the/etc/sysconfig/docker file manually and restart the docker.

Fix:
The root cause was '/etc/sysconfig/docker' getting overridden while running pre-deployment-setup. This task fixes the above issue.

1282757 : On upgrade, systems might overwrite key due to automatic firmware updating

Links to More Info: K000133379, BT1282757

Component: F5OS-A

Symptoms:
When upgrading to a new version (such as 1.4.0), automatic firmware updates occur, and these interfere with the encryption key retrieval, causing a new key to be generated, which blocks api-service-gateway.

Conditions:
Upgrading to a new version where automatic firmware updates get started at boot-up.

Impact:
The api-service-gateway container does not come up and there is no communication with the tenant.

Workaround:
docker exec -it system_manager bash
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-key"
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-cert"

Fix:
The encryption key will not generate a new key unless the TPM module has none. The code will continue to retry until it succeeds or ConfD timeout occurs (300 seconds).

1281861 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0

Links to More Info: BT1281861

Component: F5OS-A

Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".

Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.

Impact:
Tenants will not start and are unusable.

Workaround:
To work around this issue, perform one of these actions:

1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".

Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.

1281857-1 : Repeated disabling and enabling of link partner interface might result in datapath corruption

Links to More Info: BT1281857

Component: F5OS-A

Symptoms:
Packets received on an interface are corrupted or lost after a link partner interface is repeatedly disabled and then enabled within relatively short windows of time.

Conditions:
A link partner interface is repeatedly disabled and then enabled within relatively short windows of time.

Impact:
Dataplane services on the given interface will be inoperable.

Workaround:
The product must be rebooted to recover.

Fix:
An FPGA firmware fix was implemented to add an additional clock to an internal component that served to isolate noise between the MAC and itself.

1281749-1 : Hashed/encrypted passwords are getting logged

Links to More Info: K000134922, BT1281749

1281165-1 : CVE-2023-0767 in nss-tools-3.67.0-4.el7_9

Component: F5OS-A

Symptoms:
An attacker may create a PKCS 12 certificate bundle to exploit mishandling of PKCS 12 Safe Bag attributes, leading to arbitrary memory writes.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Upgraded to a non-vulnerable version of nss-tools.

1281157-1 : CVE-2023-0767 in nss-sysinit-3.67.0-4.el7_9

Component: F5OS-A

Symptoms:
An attacker may create a PKCS 12 certificate bundle to exploit mishandling of PKCS 12 Safe Bag attributes, leading to arbitrary memory writes.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Updated to a non-vulnerable version of nss-sysinit.

1281149-1 : CVE-2023-0767 in nss-3.67.0-4.el7_9

Component: F5OS-A

Symptoms:
An attacker may create a PKCS 12 certificate bundle to exploit mishandling of PKCS 12 Safe Bag attributes, leading to arbitrary memory writes.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Upgraded to a non-vulnerable NSS version.

1281141-1 : CVE-2022-37434 in zlib-1.2.7-20.el7_9

Links to More Info: K67213091, BT1281141

1280953-4 : CVE-2021-33194: DOS attack possible using ParseFragment input in golang

Component: F5OS-A

Symptoms:
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Golang has been updated to a non-vulnerable version.

1280749-2 : OCSP server state data and actual configured data is different in ConfD CLI

Links to More Info: BT1280749

Component: F5OS-A

Symptoms:
The OCSP server data shown from non-config mode in the ConfD CLI is different from actual configured data.

Conditions:
- Showing state data related to OCSP server from ConfD CLI.

Impact:
Inability to check the actual OCSP server value from non-config mode.

Workaround:
Workaround is to run 'show running-config' from non-config mode.

Fix:
When the user sets new values for the OCSP server configuration, the state data is updated as well so that the user can see the actual values from non-config mode.

1280365-3 : WebUI and shell admin access unavailable after upgrade to when one of the previously installed images is no longer present★

Links to More Info: K000133253, BT1280365

Component: F5OS-A

Symptoms:
1. WebUI or CLI inaccessible via admin account (that is, ConfD is not up):
[root@appliance-1(XXXXXXXXX) log]# su admin
Failed to connect to server

2. sw-mgmt.debug file will have a line similar to this one (with image version changing depending on which image is missing):
DEBUG: Source file /var/export/chassis/import/.mounts/iso/R2R4/1.1.1-9159/m3/*-services/F5OS*.img does not exist, removing from all_sw.

3. Containers stuck in ImagePullBackOff. For example, system_network container cannot be pulled, and the following error is observed in messages log:

appliance-1 dockerd-current: time="2023-03-24T15:09:26.631359235Z" level=error msg="Not continuing with pull after error: Error: image system_network:1.4.5-f5os-a-1-4-0-candidate.2023-02-14-15-09-15.S9b340f7e not found"

An error message may occur that reads "System database upgrade compatibility check failed"

Conditions:
Both of the below conditions:

1. Certain ISO image has been ungracefully removed from the /var/import/staging folder. Examples of ungraceful removals:
-- Deleted via bash (after running chattr -i <image name>)
-- Image name had parentheses in it and as per ID1273021 it is wiped out upon reboot.

2. /var/import/import.json file includes reference to removed image that is listed BEFORE the reference to currently used image.

Impact:
Device webUI is inaccessible. Cannot access ConfD. Root access is working.

Workaround:
Two workarounds:
1. Re-import the deleted image and reboot the box.
2. Remove the whole section that references the deleted image from import.json file and reboot the box.

Fix:
N/A

1280237-1 : Notification streams are sometimes empty using 'restconf/streams/platform-stats/json' API endpoint

Links to More Info: BT1280237

Component: F5OS-A

Symptoms:
When using the 'restconf/streams/platform-stats/json' API endpoint, the JSON object could be empty instead of being populated with platform stats.

Conditions:
The initial discovery of platform-stat had a logic flaw which prevented drive information from being correctly discovered. This caused the rest of the JSON object from being populated.

Impact:
The platform-stats notification stream endpoint would return an empty object instead of platform-stat data.

Workaround:
N/A

Fix:
The logic flaw has been resolved and the platform-stat notification stream is fully populated with stat information.

1273845-1 : Removing or manually adding TLS Certificate & Key on webUI removes whole TLS configuration

Links to More Info: BT1273845

Component: F5OS-A

Symptoms:
Manually adding TLS Certificate & Key on webUI instead of storing through Self-Signed Certificate or removing Certificate & Key removes TLS configuration, which includes verify-client and verify-client-depth.

Conditions:
- When there is an existing Verify Client and Client Depth configuration, and user tries to remove TLS Certificate & Key on Certificate Management screen on webUI.

- When user fills the TLS Certificate & Key on Certificate Management screen on webUI.

Impact:
Verify Client and Client Depth configuration of Certificate Authentication will be changed to default values which disables verification of httpd client certificates.

Workaround:
- Remove or Add TLS Certificate & Key through CLI.
- While creating Self-Signed Certificate, set "Store TLS" field as true
- Re-add Verify Client and Client Depth after removing or manually adding TLS Certificate & Key.

1273581-1 : CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy

Links to More Info: K000133098, BT1273581

1273445 : Downgrade/upgrade issues are seen because ISO has special characters in the file name★

Links to More Info: BT1273445

Component: F5OS-A

Symptoms:
If a F5OS-A ISO with a filename containing 'special characters' ('+ , * , ? , ^ , $ , ( , ) , [ , ] , { , } , | , ＼') is imported onto the device, and the system is downgraded/upgraded with this ISO, it can result in the upgrade/downgrade failing.

Conditions:
1. Download and import an ISO with a 'special character' in its name (for example,F5OS-A-1.5.0-*.iso.
2. Attempt an upgrade /downgrade.
3. Upgrade/downgrade will fail.

Impact:
Upgrade/downgrade will fail, requiring manual intervention to recover the system.

Workaround:
1. Before performing a platform software upgrade, compare versions referenced by the "show system image" ConfD CLI command with the names of files present in the "/var/import/staging” directory.

If the ISO is not present in /var/import/staging but it is shown in "show system image" command output, then import again to "/var/import/staging”.

2. If there is any ISO file with a name containing a special character present in "/var/import/staging”, remove that version of platform software and re-import it by re-downloading the file with a name that does not include special characters. You may then attempt upgrade.

3. In order to remove that ISO file with a name containing a special characters use the below command.

appliance-1(config)# system image remove iso <iso version>

4. In scenarios where the above command fails or where it is not possible to use above command, please follow the below procedure to delete the image.
  * login to the device using root
  * chattr -i "/var/import/staging/<iso with special characters>”
  * rm -rf "/var/import/staging/<iso with special characters>”

In case downgrade or upgrade failure has already occurred due to this issue, follow these steps to recover the system:

1. Download another copy of the ISO with a proper name to /var/import/staging.

2. Wait for five minutes for it to import. If ConfD is unavailable, you can check the logs in /var/log/sw-mgmt.debug for import status.

3. Once the import is complete, reboot the system. This should recover the system.

Fix:
The fix is to delete the ISO with the special characters when it is being imported.

1273025-1 : Once TACACS server-group is configured on a non-default port, on downgrade virt-handler pod gets into a crash loopbackoff state because of SELinux corruption

Links to More Info: BT1273025

Component: F5OS-A

Symptoms:
Virt-handler pod is crashing upon downgrading from F5OS-A 1.4.0 to F5OS-A 1.3.2, and a tenant is stuck in pending state.

Conditions:
Configure TACACS server-group on a non-default port (that is, other than port 49) and downgrade from F5OS-A 1.4.0 to F5OS-A 1.3.2.

Impact:
Tenant becomes stuck in pending state.

Workaround:
Two workarounds:

1. Configure standard port (49) for the TACACS server instead of a non-standard port. Using the standard port should not trigger these issues. Releases older than F5OS-A 1.4.0 do not correctly support any port other than 49 for the TACACS server.

2. Fix SELinux policy on the appliance:

a. cp selinux module from /usr

cp /usr/etc/selinux/targeted/active/modules/400/f5_appliance to /etc/selinux/targeted/active/modules/400/f5_appliance

b. Reboot the device

reboot

Fix:
Enforce closure of non-standard port every time configuration is updated or system is shut down. This avoids leaving ports open for which SELinux may not have exceptions.

Note this does not address the non-standard port in older releases when downgrading. Non-standard ports for TACACS are still not properly supported in the older release.

1273021-1 : ISOs imported with regex special characters in their names are getting deleted★

Links to More Info: BT1273021

Component: F5OS-A

Symptoms:
Downgrade/upgrade issues are seen when upgraded ISO has special characters in the file name

If an F5OS-A ISO with a filename containing 'special characters' ('+ , * , ? , ^ , $ , ( , ) , [ , ] , { , } , | , ＼') is imported, and the system is downgraded/upgraded to that version, it can result in the upgrade failing and the ISO being automatically removed.

Conditions:
1. Download and import an ISO with a 'special character' in its name, example 'F5OS-A-1.5.0-*.iso'.
2. Attempt an upgrade to the imported ISO version.
3. Upgrade will fail.

Impact:
An upgrade to a version of software marked as successfully imported can fail unexpectedly, requiring manual intervention to recover the system.

Docker container services will not come up.

Workaround:
1. Before performing a platform software upgrade, compare versions referenced by the "show system image" ConfD CLI command with the names of files present in the "/var/import/staging” directory.
If the iso is not present in /var/import/staging but it is shown in "show system image" command output, then import again to "/var/import/staging”.

2. If there is any iso file with a name containing a special character present in "/var/import/staging” remove that version of platform software and re-import it by re-downloading the file with a name that does not include special characters. You may then attempt upgrade.
3.In-order to remove that iso file with a name containing a special characters use below command.
appliance-1(config)# system image remove iso <iso version>
4.In scenarios where above command fails or not possible to use above command
please follow below procedure to delete the image.
  * login to the device using root.
  * chattr -i "/var/import/staging/<iso with special characters>”
  * rm -rf "/var/import/staging/<iso with special characters>”

Incase downgrade or upgrade failure is already happened, because this issue,
follow these steps to recover the system:
1.Download another copy of the ISO with a proper name to /var/import/staging.
2.Wait for five minutes for it to import. if confd is unavailable, you can check the logs in /var/log/sw-mgmt.debug for import status.
3.Once the import is complete, reboot the system. This should recover the system.

Fix:
Import of ISO with special characters is blocked.

1273017-1 : LACPD restarts when changing aggregation lag-type through configuration utility webUI

Links to More Info: BT1273017

Component: F5OS-A

Symptoms:
The Link Aggregation Control Protocol Daemon (LACPD) will restart. An LACP aggregation's interface can be permanently down, restricting traffic from passing on that interface.

Conditions:
-An aggregation interface's lag-type is set to static through configuration utility.

Impact:
One or more physical interfaces associated with an LACP aggregation can be erroneously marked down indefinitely, causing either degraded performance, or complete traffic failure.

Performance degradation may not occur, but the LACPD process will always restart.

Workaround:
- Toggle any affected interface to disable and then back to enable.
- Toggle any affected aggregation interface to static and then back to LACP.
- Reboot the system.

Fix:
LACPD will not restart when an aggregation is configured to static through the configuration utility. Few warnings can be logged when this operation occurs. These warnings can be ignored if seen while changing an aggregation's lag-type through configuration utility.

1271973-2 : Disabling 1G/10G BaseT interface in F5OS does not make the link down on the peer port

Links to More Info: BT1271973

Component: F5OS-A

Symptoms:
An external switch connected to one of the 1G/10G BaseT interfaces will show link-up even when the interface is disabled in F5OS.

Conditions:
When a 1G/10G BaseT interface is connected to an external switch and is disabled in F5OS.

Impact:
The external switch link-up is misleading since the interface is actually disabled on the F5 system.

Fix:
Disabling 1G/10G BaseT interfaces in F5OS now brings the link down.

1270837-2 : The Account Locked field on the Edit User page does not lock out users nor display correct locked status

Links to More Info: BT1270837

Component: F5OS-A

Symptoms:
Changing the Account Locked field on the Edit User page does not lockout a user, nor does the field correctly represent the locked status of a user.

Conditions:
Using the Account Locked field in the webUI.

Impact:
Users are allowed to log in even if the Account Locked status is changed to True and the account is truly locked.

Users are unable to log in even if the Account Locked status is changed to False, and the account is truly unlocked.

Workaround:
To lock or unlock a user, use the CLI to set the user's expiry date to 1 for locked and -1 for unlocked.

Following is an example:

Locked

(config)# system aaa authentication users user <username> config expiry-date 1
(config)# commit

Un-locked

(config)# system aaa authentication users user <username> config expiry-date -1
(config)# commit