991917-2 : VELOS system controller/chassis partition should support a system hostname

Component: F5OS-A

Symptoms:
System hostname is missing in operational data (state data).

For example: Even after configuring the system hostname, it is not visible when you run the "show system state hostname" command.

syscon-2-active# show system state hostname
% No entries found.

Conditions:
1. Configure hostname in config mode using this command: system config hostname <name>
2. Display the configured hostname using this command:
show system state hostname

Impact:
Hostname is not visible in state information.

Workaround:
Check for the configured hostname from the system controller login prompt or by checking the running configuration using the "show running-config system config hostname" command.

Fix:
Hostname now displays when you use the "show system state hostname" command.

Behavior Change:
The "show system state hostname" command now provides a valid response and displays the currently-set hostname.

1429741-1 : Appliance management plane egress traffic from F5OS-A host going via BIG-IP Next tenant management interface instead of host management when both are in same subnet

Links to More Info: BT1429741

Component: F5OS-A

Symptoms:
When BIG-IP Next tenant is installed, a default route rule is added on host. If tenant management and host management IPs are on same subnet, then two similar rules are created with destination as same subnet.

The tenant route rule is created with higher priority (metric 0) resulting any management egress traffic destination belonging to same subnet is going through tenant management interface instead of host management interface.

Conditions:
BIG-IP Next tenant is deployed on appliance.

Impact:
End users receiving traffic from appliance, will observe sender IP as tenant management interface instead of host management interface.
    Note:
        a. This issue will be observed only when host management & tenant management subnet is same and also destination to which data is sent is on same subnet.
        b. This impacts management plane traffic within the appliance's management subnets.

Workaround:
N/A

Fix:
N/A

1398145-1 : The 'file list' command takes a long time and the webUI is stuck in loading

Component: F5OS-A

Symptoms:
When the 'file list' command is used, it takes a lot of time to get the results for the log/host path. This causes the webUI to be stuck in loading.

Conditions:
Using 'file list' command for log/host.

Impact:
The webUI will not be able to load the files in the log/host.

Workaround:
N/A

Fix:
Optimized the code to achieve faster performance when handling file lists.

1393685 : SElinux denials prevented LDAP users from serial console login

Component: F5OS-A

Symptoms:
Attempting to log into the serial console as an LDAP-authenticated user would fail.

Conditions:
LDAP is configured. User in question is authenticated from LDAP. Logging into the serial console with said user.

Impact:
LDAP users unable to log in via serial console.

Workaround:
Use an F5OS local user for serial console access.

Fix:
SElinux denials have been corrected.

1381661-2 : LDAP external authentication fails if there is no group definition for user's primary GID

Component: F5OS-A

Symptoms:
LDAP external authentication (e.g. REST API or GUI; but not ssh) fails in the following scenario:
- User is defined in external auth system (e.g. LDAP)
- User has a primary GID assigned
- There is no group definition for user's primary GID

While this is legal, because the numeric GID should be sufficient, when we try to look up the group info and fail, this short circuit's authentication resulting in an error.

Conditions:
- User is defined in external auth system (e.g. LDAP)
- User has a primary GID assigned
- There is no group definition for user's primary GID

Impact:
Externally defined users may not be able to log in.

Workaround:
Define a group for the user's primary group ID.

system aaa authentication roles role <group name> config remote-gid <group ID>

Fix:
LDAP external authentication no longer fails if there is no group definition for user's primary GID. The numeric GID is sufficient.

1381057-1 : Opening and closing preview pane is causing the page scrollbar to disappear on View Tenant Deployments screen

Component: F5OS-A

Symptoms:
On the "View Tenant Deployments" screen, when there are a significant number of tenants on the tenant data table, there will be a page level scroll. Opening and closing the preview pane by clicking on any row makes the page level scroll bar disappear.

Conditions:
User should be on the "View Tenant Deployments" screen and there should be many tenants configured on the system so that user can see a page level scroll bar.

Impact:
Opening and closing preview pane is causing the page level scrollbar to disappear making it impossible for a user to scroll down and see the tenants that are out of scroll view.

Workaround:
N/A

Fix:
The issue is now fixed and opening and closing preview pane no longer hides the page level scrollbar. The user can scroll down to see the tenants that are hidden in scroll view.

1379625-1 : Changing the max-age attribute in password policy is not reflecting immediately

Component: F5OS-A

Symptoms:
Even after setting max-age value (maximum age, in days, after which password will be expired) less than 7 days, the warning for password expiration is not displaying at the time of next login.

Conditions:
Set max-age attribute to less than 7 (days) and check if password expiration warning is prompted at the time of next login.

Impact:
Password expiration feature is not working as expected.

Workaround:
N/A

Fix:
Fix is provided to sync the max-age value, updated from ConfD CLI, with the user's password expiration attribute in the /etc/shadow on the system.

1378805-1 : Error occurs when changing LAG type for an existing LAG interface on webUI

Component: F5OS-A

Symptoms:
On the webUI, if a LAG type changes from LACP, an error displays when that LAG type changes back to LACP.

Conditions:
The error occurs when attempting to change the LAG type on an existing LAG interface to a previously used type.

(i.e. Creating a LAG interface with type LACP, changing that type to Static, and then changing it back to LACP)

Impact:
This issue does not affect functionality; however, an unnecessary "Object Already Exist" error pop-up appears.

Workaround:
To avoid the pop-up, change the LAG type to LACP using the CLI in this scenario.

Fix:
Changing the LAG type on an existing LAG interface to a previously used type no longer triggers an error pop-up on the webUI.

1378313-1 : CVE-2020-22218: libssh2: use-of-uninitialized-value in _libssh2_transport_read

Links to More Info: K000138219

1366337-1 : Adding a system raid drive fails after successful removal

Component: F5OS-A

Symptoms:
If the system is set up using bare-metal installation of 1.5.1 and later versions, the user will not be able to add a SSD after removing an existing SSD from RAID.

Conditions:
The system must have been bare-metal installed using 1.5.1 and later versions.

Impact:
User is unable to remove/add SSD into RAID.

Workaround:
N/A

Fix:
After upgrading to 1.7.0 and later versions, SSD can be added and removed from RAID.

1366157-1 : Warning needed about creating tenant with same name as existing user account name

Component: F5OS-A

Symptoms:
When a tenant is created with the same name as an existing user account, the end user will not be able to log into the tenant console with that user account. A warning is not included.

Conditions:
Creating the tenant with the same name as an existing user account.

Impact:
The end user will not be able to connect to the tenant mgmt-ip with the user account.

Workaround:
Delete and re-deploy the tenant again with a different name.

Fix:
A warning that a console user won't be created if it matches the same name as a user account has been added.

1365985-4 : GID role mapping may not work with secondary GID

Links to More Info: BT1365985

Component: F5OS-A

Symptoms:
When a user in an external authentication system (LDAP, Radius, TACACS) is given a GID for an F5 role, and that GID is a secondary GID, the role assignment may not be discovered. This would result in the inability to access the system or be able to configure the system for that user.

Conditions:
- User in an external authentication system (LDAP, Radius, TACACS)
- GID corresponding to F5 role is a secondary GID (for example, it is not the user's default GID, rather a GID from a group to which the user belongs)

Impact:
Inability to log into the system, or inability to configure the system for the user in question.

Workaround:
The GID for the desired role should be the GID directly mapped to the user in the external authentication system (for example, in LDAP, the gidNumber on the user object should be the F5 role GID), rather than a secondary GID (for example, in LDAP, the gidNumber on a group of which the user is a member).

Fix:
All GID role mappings are properly considered when discovering role assignments for users in external authentication systems.

1365821-1 : Traffic loss of 5-10 seconds after disable/enable of LACP Lag member on r5000/r10000

Component: F5OS-A

Symptoms:
Disabling and then re-enabling a LACP Lag member can result in traffic loss of up to 10 seconds on r5000/r10000 platforms.

Conditions:
Disable then re-enable LACP Lag member on r5000/r10000 platforms.

Impact:
Traffic loss lasting up to 10 seconds.

Workaround:
N/A

Fix:
Don't hold a mutex while processing the set of links to initialize. Make a copy of the links and release the mutex instead.

1360905-2 : Unexpected log messages in /var/log/boot.log post-integrity recovery

Component: F5OS-A

Symptoms:
Users may observe the following inappropriate log message in /var/log/boot.log after recovering from integrity failure:

Sep 28 08:45:08 appliance-1 journal: FIPS Integrity Check: This system has been placed in an error state. Try to recover the system using /usr/libexec/ostree_recover utility or reinstall the system. On many devices pressing the escape key followed by '(' key will bring up a menu that allows the system to be restarted.

Conditions:
The integrity failure occurs when the device is in FIPS mode, and a user alters or removes a file, subsequently executing an on-demand integrity test or a boot-up integrity test.

Impact:
There are no noticeable performance issues or anomalies associated with these log messages, and the issue does not affect the overall system performance or user experience. There are no potential risks or security concerns related to the inappropriate log messages.

Workaround:
N/A

Fix:
The code has been modified to provide more user-friendly log messages.

1359897-1 : rSeries link down events can be missed

Links to More Info: BT1359897

Component: F5OS-A

Symptoms:
The rSeries platform can occasionally fail to detect a link going down due to the removal of the cable.

Conditions:
Remove fiber optic cable.

Impact:
Links that are DOWN stay operationally UP. This can lead to erroneous LACP and/or LAG state.

1359277-1 : ConfD CLI timed out and subsequently sees Error: application communication failure

Component: F5OS-A

Symptoms:
CLI times out if the respective action is not completed within the specified time interval.

Conditions:
The action to perform takes more time than the specified timeout interval.

Impact:
Unable to perform ConfD action.

Workaround:
The respective container can be restarted or a system reboot can be performed.

Fix:
When there is a timeout event, the CLI disconnects from handler and is not able to connect with handler again to perform subsequent actions.
A fix has been implemented to reconnect successfully in case of a timeout event. This prevents application communication failure error. You might still see a timeout when the system is busy but you will still be able to perform required actions a few minutes/seconds later.

1355277-3 : Incorrect Vlan Listeners when a Static FDB is configured

Component: F5OS-A

Symptoms:
When a Static FDB is configured on an interface, Vlan Listeners associated with that interface will have an extra Service ID configured for Service ID 1.

Conditions:
A Static FDB is configured on an interface.

Impact:
Extra broadcast traffic will be generated on the system, which could affect performance.

Workaround:
N/A

Fix:
N/A

1354373 : WebUI malfunctions when navigating to HSM Details with inactive FIPS drivers

Component: F5OS-A

Symptoms:
If the FIPS card is not initialized properly due to inactive FIPS drivers, navigating to certain pages will break the webUI.

Conditions:
When the FIPS card is not initialized properly due to inactive FIPS drivers, the "HSM Details" and "Add FIPS Partition" screens on the webUI break.

Impact:
A blank screen appears, and users are unable to see the left navigation bar to switch to other screens.

Workaround:
To work around this issue, remove the screen name from the URL, which will navigate the user to the dashboard screen.

Fix:
On a system where the FIPS card is not initialized properly, navigating to the "HSM Details" and "Add FIPS Partition" screens no longer results in a break.

1354341-2 : Changing a VLAN from trunked (tagged) to native (untagged) on a LAG in a single transaction can cause traffic outage

Links to More Info: BT1354341

Component: F5OS-A

Symptoms:
Traffic outage after changing a VLAN assigned to a LAG from Trunk to Native in a single commit.

Conditions:
Changing a VLAN assigned to a LAG from Trunk to Native in a single commit.

Impact:
Traffic outage.

Workaround:
First remove the Trunk VLAN from the LAG, then commit the change. Then add the Native VLAN to the LAG and commit the change.

1352449-1 : iHealth upload is failing with error "certificate signed by unknown authority"

Component: F5OS-A

Symptoms:
When attempting to use the QKView upload feature, the upload may fail with the message "certificate signed by unknown authority". This is due to a recent change in certificate authority that is inconsistent between F5OS and iHealth.

Conditions:
Always, after mid-September 2023.

Impact:
Unable to upload QKView files to iHealth with a single click.

Workaround:
Users may use the File Export feature to download QKView files to their PCs, and then upload those files to iHealth.

You can find the qkview files in the GUI at System Settings :: File Utilities, then choose "diags/shared" as the base directory, then select "qkview".

Fix:
Certificate authorities used by the iHealth upload feature in F5OS will be updated.

1352421-1 : L2 services (LACP/LLDP) are down

Links to More Info: BT1352421

Component: F5OS-A

Symptoms:
LLDP and LACP will appear to be non-functional on the F5OS system.

LLDP/LACP PDUs reach the F5OS system, which can be verified with tcpdump.

Conditions:
-- LLDP or LACP is configured.
-- Links are up.

Impact:
L2 protocols fail to negotiate or register inbound data.

Workaround:
Reboot.

1352353-2 : Remove integrity-check configurable option from CLI

Component: F5OS-A

Symptoms:
In F5OS systems, root and admin users are allowed to toggle the integrity-check option from the CLI. When in FIPS mode, integrity-check should always execute on system startup and when demanded. Since the integrity-check option is configurable, users can disable it which puts the integrity of the system at risk.

Conditions:
The configurable integrity-check option is visible when the device is in FIPS mode.

Impact:
An admin or root user could access the CLI and disable integrity-check. This could replace files and packages which could impact the integrity of the system.

Workaround:
N/A

Fix:
We have removed the enable/disable integrity-check option from the CLI.

1352045-1 : Not able to connect to tenant console via virtctl after upgrade

Component: F5OS-A

Symptoms:
Unable to connect to tenant console via virtctl after upgrading from an older version to 1.7.0. It will happen only if any virtctl console is active while doing upgrade. After upgrading, there will be stale kubectl process with older certificates present which will cause errors.

Conditions:
Virtctl console is active for tenant at the same time live upgrade is initiated.

Impact:
Not able to connect console to any tenant after upgrade to 1.7.0.

Workaround:
Kill kubectl process manually.

Fix:
User is able to connect to the tenant console via virtctl after upgrading.

1351893 : ConfD Logging 'Failed to change working directory' Error Message

Component: F5OS-A

Symptoms:
When running the tcpdump client from the ConfD command line interface, ConfD logs 'failed to change working directory /var/roothome' error message in the devel.log file.

Conditions:
Running tcpdump client from the ConfD CLI.

Impact:
No known impact.

Workaround:
No work around.

Fix:
When ConfD executes external commands, the working directory is set to the user home directory by default. ConfD logs error if unable to find the user's home directory.

1351529-1 : Fixing the log issue stating "UNSUPPORTED STP state" when STP global is configured

Links to More Info: BT1351529

Component: F5OS-A

Symptoms:
A log message appears, stating "UNSUPPORTED STP state" when STP global is configured to RSTP.

Conditions:
Removing the global config (initially set to STP) and setting it to RSTP.

Impact:
Reliable and correct log messages.

Workaround:
NA

1349677 : K3S Cluster will be reinstalled during upgrade from 1.5.0 or lower versions to 1.7.0★

Component: F5OS-A

Symptoms:
K3S Cluster will be reinstalled during upgrade to 1.7.0, from 1.5.0 or lower versions, and this will cause a slight increase in the upgrade time.

Conditions:
Upgrade from 1.5.0 or lower versions to 1.7.0.

Impact:
Slight increase in the upgrade time.

Workaround:
Cluster deployment status can be seen using "show cluster install-status".

Fix:
K3S Cluster will be reinstalled during upgrade 1.5.0 or lower versions to 1.7.0.

1349465-1 : Partition s/w upgrade compatibility check doesn't use correct target version

Links to More Info: BT1349465

Component: F5OS-A

Symptoms:
When performing the partition database compatibility upgrade check (check-version/set-version), the check logic does not always use the correct target version. This potentially can cause the compatibility check to pass, but the actual database upgrade can fail and automatically roll back.

Conditions:
When the target partition version is a patch release (such as 1.5.1, 1.6.1), the compatibility check will use the wrong (base release) version.

Impact:
The check-version/set-version database compatibility check might pass even though the actual upgrade would fail.

Workaround:
Upgrade the controller s/w to version F5OS-C 1.6.1 or later prior to attempting upgrade to a partition patch release.

Fix:
The controller OS services uses the correct partition patch version for the compatibility check.

1348145-1 : Observing 'Failed to send restarting msg to VF' during reboot with tenants deployed causing reboot time to increase

Component: F5OS-A

Symptoms:
While rebooting with tenants deployed, the reboot time increased by 2-3 minutes. A "Failed to send restarting msg to VF" message also appears.

Conditions:
Occurs when rebooting a system where tenants are deployed.

Impact:
No functional impact.

Workaround:
N/A

Fix:
Rebooting time is no longer negatively impacted by tenants being deployed.

1348037-1 : CVE-2023-24329 python: urllib.parse url blocklisting bypass

Links to More Info: K000135921

1345721 : The "show system state boot-time" command does not display any entry

Links to More Info: BT1345721

Component: F5OS-A

Symptoms:
The "show system state boot-time" command does not work properly.

r10900-2# show system state boot-time
% No entries found.

Conditions:
N/A

Impact:
r10900-2# show system state boot-time
% No entries found.

Workaround:
This command is disabled in F5OS-C 1.6.0; it must be disabled in F5OS-A as well.

Fix:
This command is disabled in F5OS-C 1.6.0; it must be disabled in F5OS-A as well.

1341521-4 : Incorrect subnet mask returned for GET call for /systems

Component: F5OS-A

Symptoms:
Subnet mask returned from Get call for /systems returns the wrong netmask for the management IP on VELOS and rSeries.

Conditions:
BIG-IP Next instances on VELOS and rSeries.

Impact:
Does not impact any functionality. GET API call for /systems returns the wrong subnet mask for the management IP.

Workaround:
Log in to the machine/tenant and check the management IP address by using the ip addr show command.

Fix:
N/A

1330797-1 : Interfaces removed from LACP trunk due to traffic congestion

Component: F5OS-A

Symptoms:
Interfaces repeatedly removed and added to a LACP LAG due to dropped LACP PDUs.

Conditions:
High traffic volume resulting in weighted-random-early-drop (WRED) being invoked.

Impact:
LACP PDUs dropped resulting in loss of LACP state.

Workaround:
Reboot affected blade.

Fix:
Modify LACP, STP and LLDP to use class-of-service 0 (highest priority) for PDUs.

1330793-1 : Interfaces removed from LACP trunk due to traffic congestion

Component: F5OS-A

Symptoms:
Interfaces repeatedly removed and added to a LACP LAG due to dropped LACP PDUs.

Conditions:
High traffic volume resulting in weighted-random-early-drop (WRED) being invoked.

Impact:
LACP PDUs dropped resulting in loss of LACP state.

Workaround:
Reboot affected blade.

Fix:
Adjust traffic management settings for Class-of-Service '0' (highest priority) so it is never dropped due to weighted-random-early-drop.

1330717 : LLDP neighbors are not getting discovered

Component: F5OS-A

Symptoms:
When a user configures LLDP at one time, the LLDP details will not show up.

Conditions:
Configure LLDP interfaces at one time.

Impact:
The "show lldp" command will not show neighbor details even if the interfaces/ports are connected to a peer switch.

Workaround:
The issue arises when all LLDP interfaces are configured at one time. However, if the LLDP interfaces are disabled and then enabled one by one, the issue is generally not observed.

Fix:
The issue arises when all LLDP interfaces are configured at one time. However, if the LLDP interfaces are disabled and then enabled one by one, the issue is generally not observed.

1330429-1 : Port Mappings screen on webUI displays "GB" for bandwidth instead of "Gb"

Component: F5OS-A

Symptoms:
When a user navigates to the "Port Mappings" screen on the webUI, Capacity Bandwidth and Allocated Bandwidth incorrectly display "GB" as the units. It should be "Gb" [gigabit].

Conditions:
Going to the "Port Mappings" screen on the webUI.

Impact:
This does not affect the functionality. Capacity Bandwidth and Allocated Bandwidth values are correct except for the units.

Workaround:
N/A

Fix:
The "Port Mappings" screen now displays appropriate units for Capacity Bandwidth and Allocated Bandwidth, correcting the representation to "Gb."

1329161-1 : In non-FIPS mode, added support for the SSH-RSA host key algorithm

Links to More Info: BT1329161

Component: F5OS-A

Symptoms:
Not able to establish an SSH connection using the SSH-RSA host key algorithm in non-FIPS mode.

Conditions:
Connect to the device from the SSH client using the SSH-RSA host key algorithm in non-FIPS mode.

Impact:
The SSH connection to the device could not be established.

Workaround:
None

Fix:
Added SSH-RSA host key algorithm support in non-FIPS mode.

1329021-1 : Display order of interfaces/portgroups in ConfD CLI are not in numerical order

Component: F5OS-A

Symptoms:
Interfaces/portgroups are not listed in numerical order when viewing from the ConfD CLI.

Conditions:
Occurs when running the following commands on the ConfD CLI:

show interfaces interface state oper-status

show running-config portgroups portgroup

Impact:
Affects readability.

Workaround:
N/A

Fix:
Interfaces/portgroups are now listed in numerical order when displayed from the CLI.

1328977 : Appliance Orchestration Manager fails due to memory corruption

Links to More Info: BT1328977

Component: F5OS-A

Symptoms:
Appliance Orchestration Manager fails, leading to a restart of the docker container. We can observe a core as well.

Conditions:
There are no preconditions. It is happening to memory corruption in the systems. The issue is not consistent.

Impact:
OMD restarts; this will not generally disturb the tenant's functionality.

Workaround:
N/A

Fix:
Fixed the issues related to memory corruptions in the appliance Orchestration Manager.

1328405-4 : F5OS system stopped generating tmstat snapshots

Links to More Info: BT1328405

Component: F5OS-A

Symptoms:
The F5OS system is not generating the tmstat snapshots, which helps us in diagnosing issues.

Conditions:
System is running an affected version of F5OS software (F5OS-A 1.2.0 and above, or F5OS-C 1.6.0 and above).

Impact:
Impacts the supportability of the device; the support teams usually rely on the snapshots while working on field issues.

1327701 : Space in SNMP community/user/target name causing snmpd container restart

Links to More Info: BT1327701

Component: F5OS-A

Symptoms:
When there is a space in any SNMP community/user/target name configuration, this will cause an F5OS snmpd service restart.

Conditions:
When there is a space in an SNMP community/user/target name configuration.

Impact:
F5OS snmpd restarts.

Workaround:
Reconfigure the SNMP community/user/target without a space in the name.

Fix:
Added a space restriction in SNMP community/user/target name configuration so the user can no longer configure with a space.

1326725 : Unable to generate SNMP Trap for IPV6

Links to More Info: BT1326725

Component: F5OS-A

Symptoms:
Generating SNMP traps for IPv6 is not working.

Conditions:
1. Configure SNMP traps for an IPv6 address:

appliance-1# show system snmp
system snmp engine-id state engine-id 80:00:2f:f4:03:00:94:a1:38:33:02
system snmp engine-id state type mac
system snmp state port 5000
system snmp targets target v1_target
 state name v1_target
 state community c1
 state security-model v1
 state ipv6 address 2620:128:e8:49:f816:3eff:fe9:248e
 state ipv6 port 5011
            SECURITY
NAME NAME MODEL
----------------------
c1 c1 [ v1 ]


2. Try to collect SNMP traps on targeted system:

[root@testvm ~]# snmptrapd -Lof 2620:128:e008:4009:f816:3eff:fe09:248e:5011
NET-SNMP version 5.7.2

Impact:
SNMP traps for IPv6 addresses won't work.

Workaround:
N/A

Fix:
We corrected the code for generating SNMP traps for IPv6 addresses.

1326541 : In r2000 and r4000 systems, alarm LED is not set when there are alerts raised in the system

Links to More Info: BT1326541

Component: F5OS-A

Symptoms:
When system has any alarm, alarm LED will not be set, and diag-agent is not clearing all the alarms during the boot up.

Conditions:
Applicable for r2000 and r4000 systems.

Impact:
Alarm LED will not be set when system generates any alarm, and diag-agent will not clear all the alarms during the boot up.

Workaround:
When system generates alarms, they can be seen using ConfD.

Fix:
When system generates any alarm, alarm LED will be set and diag-agent will clear all the alarms while during the system boot up.

1326157 : Observed multiple containers restarting and cores generating after PXE installation

Component: F5OS-A

Symptoms:
As a result of "permission denied" errors, some containers begin crashing after a PXE installation. Core files are also generated.

Conditions:
Seen due to a timing issue after PXE installation. Some containers come up before they can be supported.

Impact:
Containers crash or functionality is impacted. Core files are generated.

Workaround:
Modify the /var/docker/config/platform.yml with information below:

+ selinux_labeler:
+ container_name: selinux_labeler
 + image: +${platform_services_registry}/system_network:1.4.14
+ volumes:
+ - /var/F5/system:/var/F5/partition:z
+ labels:
+ f5.service.type: "system"

 identifier:
    container_name: system_latest_vers
    image: ${platform_services_registry}/system_network:1.4.14
+ depends_on:
+ - selinux_labeler

Then, restart the platform-services-deployment.service.

Fix:
Containers should not be crashing after a PXE installation now. No core files should be generated.

1325365 : CVE-2022-25883 - semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS)

Component: F5OS-A

Symptoms:
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
Semver has been upgraded to a non-vulnerable version.

1324737 : The output of the command "ethtool --show-priv-flags" on all interfaces needs to be collected in QKView

Links to More Info: BT1324737

Component: F5OS-A

Symptoms:
Before, output from the command "ethtool --show-priv-flags" was not being collected in QKView for any of the interfaces.

Conditions:
The user generates a QKView file. The output of the command "ethtool --show-priv-flags" is missing in the 'Commands' section of the QKView.

Impact:
Having access to this command's output will help to identify if the 'vf-true-promisc-support' flag is SET/UNSET. This additional information can help the support team debug issues.

Workaround:
N/A

Fix:
Output for the command "ethtool --show-priv-flags" is now collected for each interface in the 'Commands' section of QKView.

1322817-3 : BIND vulnerability CVE-2023-2828

Links to More Info: K000135312

1322225 : Observing tenant pods are stuck in pending state after upgrade

Component: F5OS-A

Symptoms:
Sometimes, a tenant that was deployed in an older version (e.g. 1.5.0) will not come up after upgrading. An UnexpectedAdmissionError is logged stating "Allocate failed due to rpc error: code = Unknown desc = No matching tenant., which is unexpected"

Conditions:
Intermittently happens when upgrading a tenant from an older version.

Impact:
Tenant is stuck in pending state.

Workaround:
N/A

Fix:
Tenants should now run as expected. No UnexpectedAdmissionError should be logged.

1317793 : F5OS qat-support-pod service crashed with SIGBUS error

Links to More Info: BT1317793

Component: F5OS-A

Symptoms:
Sometimes, a script inside qat-support-pod cannot handle when it gets a SIGBUS signal.

Conditions:
Intermittently seen without any specific conditions.

Impact:
No functional impact, only a core file gets generated.

Workaround:
N/A

Fix:
We haven't seen this issue since the fix went in. However, since there isn't a specific use case to repro, the exact scenario can't be tested.

1316161 : CVE-2023-24329 in python-libs-2.7.5-90.el7

Links to More Info: K000135921

1316153 : CVE-2023-24329 in python-2.7.5-90.el7

Links to More Info: K000135921

1315149-2 : Users authenticated via TACACS+ cannot log in via serial console

Links to More Info: BT1315149

Component: F5OS-A

Symptoms:
If remote authentication is configured to use TACACS+, users authenticated via TACACS+ cannot log in via the system serial console.

SELinux errors in /var/log/audit/audit.log similar to the following:

type=AVC msg=audit(1691528610.427:121): avc: denied { name_connect } for pid=13249 comm="login" dest=49 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0

Conditions:
-- TACACS+ remote authentication.
-- Attempting to log in to system via serial console.

Impact:
Only locally-defined users can log in to the system via serial console.

Workaround:
Configure the SELinux policy to allow this traffic. On a VELOS chassis, these instructions must be run on each system controller separately.

1. Connect to the F5OS system via SSH as root.

2. Examine the SELinux audit denials and confirm all of them are associated with traffic that should be allowed:

grep 'denied.*name_connect.*comm="login"' /var/log/audit/audit.log > /root/login-audit-denials.log
cat /root/login-audit-denials.log

Remove entries from the file /root/login-audit-denials.log that you do not want to allow.

3. After confirming the contents of the file /root/login-audit-denials.log, run the following commands to create and install an SELinux policy to allow that traffic:

audit2allow -M login.allowtacacs < /root/login-audit-denials.log
semodule -i login.allowtacacs.pp

Fix:
A missing SELinux exception has been added. Users authenticated via TACACS+ are now able to log in via serial console without having to manually add the exception or turning off SELinux.

1315121-4 : Key migration failure and potential corruption updating to 1.5.0 or later with deployed tenants

Links to More Info: BT1315121

Component: F5OS-A

Symptoms:
When setting a new primary key after upgrading from an older release (such as 1.1.1 or older), where tenants are deployed, to 1.5.0 or newer, the key migration may fail.

The migration failure may cause configuration database corruption for the entire system.

Conditions:
Tenants are deployed on release 1.1.1 or older. Upgrade to 1.5.0 or newer (including through intermediate upgrades, such as 1.1.1 -> 1.3.2 -> 1.5.1). Set new primary key.

Impact:
Setting a new primary key may fail. When this failure occurs, system configuration corruption may occur.

Workaround:
Mitigation to prevent failure:
- Change all tenants to the configured state
- Set a new primary key
- Wait for key migration to complete
- Return tenants to deployed state.

Recovery for corruption:
- Reset device to default configuration
- Set the primary key to the known primary key for a known-good backup
- Restore with known-good backup

Fix:
Fix known causes of database corruption on primary key migration failure. While the primary key configuration may still fail if tenants are in deployed state, it should no longer cause system corruption.

1315065-2 : RSA-1024 SSH public keys should not be allowed in FIPS mode

Links to More Info: BT1315065

Component: F5OS-A

Symptoms:
When logging into an F5OS or BIG-IP system that is in FIPS mode, RSA-1024 SSH public keys should not be allowed to make the connection. Users should instead be prompted for a password.

Conditions:
User creates a RSA-1024 SSH public key and uses it to connect to the system, while the system is in FIPS mode.

Impact:
The user is allowed to authenticate with the key, which should not be allowed.

Workaround:
N/A

Fix:
Users cannot authenticate with a RSA-1024 SSH public key while the system is in FIPS mode.

1314917-1 : Command "show system health components component psu-2" results in errors

Links to More Info: BT1314917

Component: F5OS-A

Symptoms:
When a second PSU is added to an R2/R4 device, the system health does not show psu-2 as a known component.

Conditions:
After inserting a second PSU, if a power cycle or system reboot happens, sometimes diag-agent as diag-agent is not completely up; it is missing the bmc-events generated for PSU presence and updating as not present.

Impact:
This will cause diag-agent to update the PSU as not present, and it will not be shown in "show system health".

Workaround:
Provided below platform-hal psf action as work around, which will generate bmc-events for psu-presence again.

docker exec -ti platform-hal psf run POST:bmc/rearm-sensor-events sensorNumber=1
docker exec -ti platform-hal psf run POST:bmc/rearm-sensor-events sensorNumber=2

Fix:
Updated diag-agent to initiate bmc re-arm sensors only once diag-agent is up properly, so that it does not miss any bmc-events.

1314497-1 : Unable to delete the static LAG from webUI

Links to More Info: BT1314497

Component: F5OS-A

Symptoms:
User is unable to use the webUI to delete the static LAG that is created through the CLI.

Conditions:
a) If lag is created with LACP type and later changed to STATIC.
b) User is trying to delete lag from webUI.

LAG can not be deleted from webUI.

commands
> interfaces interface lag1 aggregation config lag-type LACP
> once lag1 is created change the lag1 type to STATIC

Impact:
LAG can not be deleted from webUI.

Workaround:
Delete the lag from the CLI:
> no lacp interfaces interface lag2
> commit
> no interfaces interface lag2
> commit

1314453 : Datapath is broken when LAG type is changed from LACP to Static on r2000/r4000 platforms

Links to More Info: BT1314453

Component: F5OS-A

Symptoms:
On r2000 and r4000 platforms, we can create a LAG as type LACP with a BIG-IP tenant. Later, when the datapath is up and running, if we change the LAG type to Static, the datapath on the tenant is broken. The platform sends the state of the members of the LAG as DOWN and hence LAG is DOWN on the BIG-IP tenant.

Conditions:
When LAG type is changed from LACP to Static.

Impact:
Datapath is completely broken while using the LAG configured.

Workaround:
Bringing the DOWN members of the LAG back to UP by below configurations
1. interfaces interface <ifc name> config admin disable

This will make interface to DOWN state and then move back to enabled state.

2. interfaces interface <ifc name> config admin enable

Fix:
Datapath no longer breaks when changing the LAG type from LACP.

1314393-3 : CVE-2023-32067 c-ares: 0-byte UDP payload Denial of Service

Links to More Info: K000135831

1314169-3 : Tenant service-id mismatch between fdb mac-table and service-instance entries

Links to More Info: BT1314169

Component: F5OS-A

Symptoms:
The tenant service-instances IDs are not matching with the fdb mac-table service-ids. This happens when the system attempted to read a field that does not exist in the /services table.

Conditions:
Configuring tenants on F5OS-A.

Impact:
Fails to add all the additional services of a tenant to the service instance.

Workaround:
No workaround exists for older F5OS releases. Need to upgrade to F5OS-A 1.6.0 or later.

Fix:
The system no longer attempts to read a field that does not exist in the /services table. The tenant service-instances IDs are now matching with the fdb mac-table service-ids.

1313329-1 : Downloaded F5OS ISO file missing after reboot

Links to More Info: BT1313329

Component: F5OS-A

Symptoms:
The system deletes the ISOs which are not verified. If a user reboots the system while an ISO import in progress, the ISO "fails" the verification and is deleted.

Conditions:
Seen if a user reboots the system while an ISO import is in progress (e.g. verifying state).

Impact:
ISO file will be deleted.

Workaround:
Download the ISO again and wait until it has been verified to reboot.

Fix:
There is no longer an issue with rebooting the system while an ISO import is in progress.

1312169 : User expiration is not configurable nor viewable on the webUI

Links to More Info: BT1312169

Component: F5OS-A

Symptoms:
User expiration is not configurable nor viewable on the webUI.

Conditions:
Trying to configure/view user expiration on webUI.

Impact:
The user cannot view or modify the expiry information for a system user account.

Workaround:
The expiry information for a user account can be viewed or configured at CLI.

Fix:
On the webUI the "Account Locked" widget will be replaced by the "Expiry Status" configuration which will allow locking the user in a similar fashion as the CLI.

1311953 : Platform-services-deployment service does not come up when system reboots early after PXE install

Component: F5OS-A

Symptoms:
Observed that platform-services-deployment service fails to come up if the system reboots while image import is in-progress after a system PXE install.

Conditions:
Issue only happens after PXE install if the system reboot is triggered while image import is in-progress. The platform-services-deployment startup script was not waiting long enough to setup the env_var file by sw-mgmt.

Impact:
Platform-services-deployment does not come up for the system.

Workaround:
N/A

Fix:
Implemented retry mechanism in platform-services-deployment startup script which will wait for the env_var file setup by sw-mgmt service.

1311309 : On r2k or r4k systems, improved VF creation by adding health checks and retrials

Component: F5OS-A

Symptoms:
On r2k or r4k systems, the VFs creation process under each PF were intermittently not having relevant sysfs entries under each VF created.
1. Not all the 4VFs are created under a PF(Ex: ip link show <PF>)
2. `driver` soft link is not created for VF in sysfs
3. `net` directory is missing for VF in sysfs
4. `net` directory had no entries when creating a new VF in sysfs

Conditions:
When the r2k or r4k system boots up, VF creation under each PF gets triggered and checks for the VF state and retries the VF creation, if we hit any of the following:
1. Not all the 4VFs are created under a PF(Ex: ip link show <PF>)
2. `driver` soft link is not created for VF in sysfs
3. `net` directory is missing for VF in sysfs
4. `net` directory had no entries when creating a new VF in sysfs

Impact:
Tenant creation stalls as there are insufficient/Unready/Unhealth VFs to consume for Datapath.

Workaround:
Even on six retrials for about three minutes after booting the system, if the VF creation does not succeed, reboot the host system with a message(s) in /var/log/messages.

"Intel NIC PFs/VFs are not ready to deploy tenant(s). Only ${valid_pf_count}/${no_of_active_pfs} PFs had valid VFs. Suggest to reboot host system. "

"Intel NIC PFs/VFs are not ready to deploy tenant(s). Suggest to reboot host system."

Fix:
Fixed validating the VF entries in sysfs. Added finite retrials to recreate VFs, if found unhealthy. If the finite retrials, not helped recovering the VFs, suggests to reboot the host system.

1311049 : For a system that has interfaces with 1GB speed, the network tab on the webUI dashboard is not showing all information

Links to More Info: BT1311049

Component: F5OS-A

Symptoms:
If a system has an interface with a speed of 1GB, when the user opens the Network tab on the webUI dashboard, the data that is supposed to be shown on the system graphic (such as interface speed and operational status) are not shown.

Conditions:
A system that has an interface with 1GB speed.

Impact:
The system graphic on the Network tab of the webUI dashboard is not showing interface information.

Workaround:
N/A

Fix:
Now the code is made to handle any port speed coming from the back-end response.

1307597 : System does not report ISO as in use in "show system image"

Component: F5OS-A

Symptoms:
When setting the ISO within the ConfD CLI using set-version, "show system image" will not show the ISO as in use.

Conditions:
Using set-version within the ConfD CLI to set the ISO version. Then, running the command "show system image".

Impact:
Users does not know which ISO is in use. For that they have to cross correlate with OS and Service versions.

Workaround:
N/A

Fix:
A user can now see which ISO currently is in use with "show system image".

1306869 : CVE-2021-44716 in golang.org/x/net-v0.0.0-20201021035429-f5854403a974

Component: F5OS-A

Symptoms:
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
net/http in Go has been upgraded to a non-vulnerable version.

1306861 : CVE-2022-30633 in golang.org/x/net-v0.0.0-20201021035429-f5854403a974

Component: F5OS-A

Symptoms:
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4 allows a user to cause a panic due to stack exhaustion via unmarshalling an XML document into a Go struct which has a nested field that uses the 'any' field tag.

Conditions:
Uncontrolled recursion in Unmarshal in encoding/xml before Go 1.17.12 and Go 1.18.4

Impact:
N/A

Workaround:
N/A

Fix:
Go has been updated to a non-vulnerable version.

1306773 : CVE-2022-27664 in golang.org/x/net-v0.0.0-20201021035429-f5854403a974

Component: F5OS-A

Symptoms:
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
Go has been updated to a non-vulnerable version.

1306749 : CVE-2022-28131 in golang.org/x/net-v0.0.0-20201021035429-f5854403a974

Component: F5OS-A

Symptoms:
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows a panic due to stack exhaustion via a deeply nested XML document.

Conditions:
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4

Impact:
This may cause a panic due to stack exhaustion via a deeply nested XML document.

Workaround:
N/A

Fix:
Go has been updated to a non-vulnerable version.

1306649 : Rapid removal and re-insertion of 10G optics may result in link failure

Component: F5OS-A

Symptoms:
An interface link remains down.

Conditions:
Removing and re-insertion of the SFP module within a few seconds.

Impact:
Interface link remains down.

Workaround:
There are two workarounds:
1. After removing the SFP module, wait for 2 to 3 minutes before re-inserting the SFP module. This may not work 100% of the time.
2. Reboot the appliance.

1306197 : The "show system image" command is taking more time than expected to display the output

Component: F5OS-A

Symptoms:
The "show system image" command is taking more time than expected to display the output.

Conditions:
Execute the "show system image" command. Check for the CLI output.

Impact:
Degraded user experience when executing the "show system image" command.

1305005-4 : Error handling in F5OS file-download API

Links to More Info: BT1305005

Component: F5OS-A

Symptoms:
Upon file download failure, API is returning an Apache error page that isn't an F5OS-specific error and isn't aligned with other F5OS API errors. This is a negative user experience.

Conditions:
Due to unhandled errors, when data not in the FormData format are passed through a Curl request, an Apache error page is thrown, misaligning from other F5OS APIs errors.

Impact:
There is no functional impact. It is a negative user experience.

Workaround:
N/A

Fix:
All errors are handled in the file-download API and aligned with other F5OS APIs errors with no more Apache error pages in error cases.

1304765-1 : A remote LDAP user with an admin role is unable to make config changes through the F5 webUI

Links to More Info: BT1304765

Component: F5OS-A

Symptoms:
When a remote user's GID is mapped to the F5OS system's local GID, the GID mapping is not parsed correctly by the system. If the remote GID is known to the F5 system, there is no issue. For example, a mapping of the form 9000:9000 works fine. However, mapping of the form 5555:9000, 6666:9000 etc. will not work.

Conditions:
Local GID is being mapped to a remote GID.

Impact:
The admin user mapped to a remote GID cannot access the ConfD config mode.

Fix:
Update the system to the version with the fix.

1304657 : tcam-manager does not support all the possible system network subnets

Links to More Info: BT1304657

Component: F5OS-A

Symptoms:
The connection from the tenant (TMM) to the tcam-manager is continuously restarted.

tcam-mgr logs show the wrong tenant-id and hence rejected connection from the tenant:

msg="INFO" MSG="Connection from client address:10.245.3.1".
msg="ERROR" MSG=" Confd access error obtaining tenant info for tenant:12291 slot:1".
msg="INFO" MSG="neuron_handle_responses: dropping resp to non-existent client".

TMM periodically logs neuron client errors, such as:

notice hudproxy_neuron_client_closed_cb: Neuron client connection terminated
notice pva_sc_frs_neuron_stopped_cb/2373: FRS SC: Neuron client stopped.
notice [DDOS Neuron]Neuron daemon stopped

Conditions:
The 'system network' configuration is changed from its default setting in F5OS.

Impact:
TCAM based features don't work.

Workaround:
Select either the default RFC6598 subnet or any of the unaffected RFC1918 subnets.

Fix:
tcam-manager now correctly calculates the tenant-id for all possible system network subnets.

1303877 : INTEL-SA-00730: CVE-2022-33972

Links to More Info: K000134942

1303125 : Tenants must be moved to 'provisioned' or 'configured' state when downgrading F5OS partition or appliance services from 1.6.0+ to versions below 1.6.0

Links to More Info: BT1303125

Component: F5OS-A

Symptoms:
Tenants must be moved to 'provisioned' or 'configured' state when downgrading F5OS partitions or appliances from 1.6.0+ to versions below 1.6.0. If there are running tenants at the time the downgrade is attempted, it will be blocked.

Conditions:
A downgrade of a VELOS partition or rSeries appliance from ISO version 1.6.0+ to <1.6.0 is attempted.

Impact:
Tenants must be moved to 'provisioned' or 'configured' for the downgrade to succeed.

Workaround:
Tenants must be moved to 'provisioned' or 'configured' for the downgrade to succeed.

Fix:
Tenants must be moved to 'provisioned' or 'configured' state when downgrading F5OS partition or appliance services from 1.6.0+ to versions below 1.6.0

1301837-1 : A remote admin user is not able to enter the ConfD config mode when logged in from SSH

Links to More Info: BT1301837

Component: F5OS-A

Symptoms:
When a remote user's GID is mapped to the F5OS system's local GID, the GID mapping is not parsed correctly by the system. If the remote GID is known to the F5 system, there is no issue. For example, a mapping of the form 9000:9000 works fine. However, mapping of the form 5555:9000, 6666:9000 etc. will not work.

Conditions:
Local GID is being mapped to a remote GID.

Impact:
The admin user mapped to a remote GID cannot access the ConfD config mode.

Workaround:
No workaround.

Fix:
Update the system to the version with the fix.

1301169 : K3S goes down when OMD is restarted

Component: F5OS-A

Symptoms:
K3S went down and failed to come up when OMD restarted due to memory corruption.

Conditions:
This is caused by not having essential flags in the system.
The appliance OMD is dependent on the flags inside /var/omd directory.

Impact:
When K3S goes down, the cluster is down, which results in service down.

Workaround:
When the cluster goes down due to missing flags, it can be brought back up by clearing the stale flags and tokens. Please contact F5 Support.

Follow instructions in https://my.f5.com/manage/s/article/K08061420

Fix:
1. Logs are in place if the /var/omd/ flags gets deleted or added.

2. Cluster will come up even if it is going to a bad state.

1300805 : Allowing the tenant configuration with more memory than max memory in the appliance

Links to More Info: BT1300805

Component: F5OS-A

Symptoms:
This will not have any functional impact.
Tenant configuration will be accepted but the tenant won't be up. And we see a failure message in "show tenants" with resource allocation failed.

Conditions:
Configuring the tenant with the memory that is beyond the max limit.

Impact:
It is the faulty config for the tenant. No impact on the existing/running tenants.

Workaround:
Delete the config and re-configure with valid memory.

1298865 : Upgrade compatibility issue from 1.6.0-A to 1.7.0-A, 1.6.0-C to 1.8.0-C and 1.7.0-C to 1.8.0-C

Component: F5OS-A

Symptoms:
As a part of this bug fix:
We are not allowing webUI banner text and color detail when webUI banner is disabled. We are only allowing to configure/show webUI banner test and color when webUI banner is enabled.

After this fix, We have some upgrade compatibility issue from 1.6.0-A to 1.7.0-A, 1.6.0-C to 1.8.0-C and 1.7.0-C to 1.8.0-C (or latest).

If we enable webUI banner without providing values for color and text in 1.6.0-A/C and 1.7.0-C build and if we upgrade to latest version(1.7.0-A build and 1.8.0-C) from 1.6.0-A/C and 1.7.0-C where we cannot enable banner without text, upgrade will fail with compatibility issue.

Conditions:
If webUI banner is enabled without text and color details then upgrade from 1.6.0-A to 1.7.0-A, 1.6.0-C to 1.8.0-C and 1.7.0-C to 1.8.0-C will fail with compatibility error.

Impact:
We will not be able to upgrade from 1.6.0-A to 1.7.0-A, 1.6.0-C to 1.8.0-C, and 1.7.0-C to 1.8.0-C with webUI banner enabled and color and text fields empty.

Workaround:
Either disable the webUI banner or enable the webUI banner with color and text fields.

Fix:
We are not allowing webUI banner's text and color details when webUI banner is disabled. We are only allowing to configure/show webUI banner's text and color when webUI banner is enabled.

1298601 : Part number and serial number of an F5OS-A system not displayed on webUI

Component: F5OS-A

Symptoms:
User cannot find the part number and the serial number of an F5OS-A system on the webUI.

Conditions:
A user logs onto the webUI and looks for information about their part number and their serial number.

Impact:
There is no way for a user to know the part number and the serial number of their system using the webUI.

Fix:
The part number and the serial number are now shown on the 'SYSTEM SETTINGS/General' screen in the 'System Inventory' data-table.

1298329 : Tcpdump capture fails

Links to More Info: BT1298329

Component: F5OS-A

Symptoms:
SELinux shared label set by identifier container for the common path shared across all the containers. This issue started when node-agent container was introduced without dependency.

The system repeatedly logs this message to the platform log:

tcpdumpd-manager[8]: priority="Crit" version=1.0 msgid=0x5406000000000018 msg="[] global_dmaa_comm init_comm failed ret:" this=0x17c6b50 ret=3.

Conditions:
This issue seems to occur when downgrading a system to an affected version.

Impact:
Tcpdump capture fails.

Workaround:
This issue can be resolved by doing the following:

1. Log into the system as root
2. Edit /var/docker/config/platform.yml
3. Locate the configuration for 'tcpdumpd-manager', and replace the volume that reads:
      - /var/F5/system:/var/tcpdump:z
with:
      - /var/F5/system:/var/tcpdump
4. Save the file
5. Reboot the appliance

Fix:
Root cause of this issue was fixed as part of ID1326157.

1298021 : CVE-2023-2253: DOS attack possible using massive string arrays in golang

Component: F5OS-A

Symptoms:
A flaw was found in the `/v2/_catalog` endpoint in distribution/distribution, which accepts a parameter to control the maximum number of records returned (query string: `n`). This vulnerability allows a malicious user to submit an unreasonably large value for `n,` causing the allocation of a massive string array, possibly causing a denial of service through excessive use of memory.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Golang has been upgraded to a non-vulnerable version.

1297665 : Occasionally diagnostic agent reports as unhealthy for unpopulated PSU_Slot in health summary and ihealth reports

Links to More Info: BT1297665

Component: F5OS-A

Symptoms:
Diagnostic agent reports as unhealthy for unpopulated PSU_Slot in ihealth reports and "show system health summary" output.

Conditions:
Occurs only when any empty PSU slots are in the system and diagnostic agent receives PSU Input State events in different order.

Impact:
It causes diagnostic agent to report as unhealthy for PSU on the unpopulated slot in health summary.

Workaround:
N/A

1297137 : SNMP requests to the partition were failing after the platform-stats-bridge process failed

Links to More Info: BT1297137

Component: F5OS-A

Symptoms:
SNMP stops working.

Conditions:
platform-stats-bridge stops and does not restart.

Impact:
SNMP requests to the partition will fail.

Workaround:
Reboot or docker restart platform-stats-bridge or systemctl restart platform-services-deployment.service.

Fix:
The platform stats bridge containers will restart if it exits due to segmentation fault.

1297077 : Error with 'show system image' when same image is copied into /var/import/staging

Component: F5OS-A

Symptoms:
When an image is copied into /var/import/stating system more than once, calling "show system image" will show incorrect information. The status for both images will return "error". The date and size information will also be incorrect.

Conditions:
Copying the same image to /var/import/staging and calling "show system image".

Impact:
The "show system image" command shows improper output.

Workaround:
N/A

Fix:
An image will now appear only once when "show system image" is invoked, regardless of the number of times the image is in /var/import/staging. The output is also correct now.

1296525 : qkview may capture log files truncated in a reverse way

Links to More Info: BT1296525

Component: F5OS-A

Symptoms:
qkview captures log files, but may truncate them if too large (greater than 100 MB). A regression was introduced such that the most recent log entries would be truncated rather than the oldest.

Conditions:
Collection of qkview.

Impact:
Log entries may be missing in qkview capture.

Workaround:
When running a qkview capture, specify the maxfilesize argument to 1000 (1 GB).

system diagnostics qkview capture maxfilesize 1000

Fix:
QKview now collects the tail end of log files.

1295657 : ARP probes to rSeries management IP are answered by both mgmt and mgmt0-system

Links to More Info: BT1295657

Component: F5OS-A

Symptoms:
Intermittent management connectivity issues.

Conditions:
ARP probers to rSeries mgmt-ip.

Impact:
Intermittent management connectivity issues.

Workaround:
A temporary workaround is to update the arp-related kernel paraments on the mgmt interface.

sysctl -w net.ipv4.conf.mgmt.arp_ignore=2
sysctl -w net.ipv4.conf.mgmt.arp_announce=1
sysctl -w net.ipv4.conf.mgmt.rp_filter=1

1295141-1 : Ability to change SNMPD listening port

Component: F5OS-A

Symptoms:
When using default 161 SNMP listening port, user was not able to change/configure this to another port.

Conditions:
snmpwalk was working only on default 161 port.

Impact:
N/A

Workaround:
N/A

Fix:
Added below API to configure SNMP port.

Configuration:
CLI# system snmp config port <port_num>

Show:
CLI# show system snmp state port

1294581 : webUI header shows FQDN for IP address field instead of management IP

Links to More Info: BT1294581

Component: F5OS-A

Symptoms:
When user accesses F5OS webUI using FQDN, the header shows the FQDN for the IP address instead of showing the actual management IP address.

Conditions:
When user accesses F5OS webUI using FQDN.

Impact:
There is no impact on functionality. The IP address label on the login screen is renamed to Address. The header displays the management IP instead of the FQDN.

Workaround:
To view the management IP address, navigate to the Management IP screen.

Fix:
Login using FQDN shows the IP address on the header instead of the FQDN. Additionally, the IP address label on the login screen is renamed to Address.

1294561-2 : When OCSP is disabled, configurations are not accurately shown outside of 'config' mode

Links to More Info: BT1294561

Component: F5OS-A

Symptoms:
When the OCSP feature is disabled, making any changes to OCSP configurations (i.e. nonce request, override-responder) are not being updated outside of 'config' mode on the ConfD CLI. When the OCSP feature is enabled, there is no issue.

Conditions:
Occurs when OCSP is set to 'disabled' and changes are made to the OCSP configurations. Running 'show system aaa authentication ocsp' will display incorrect information.

Impact:
No functional impact. User will not be able to see an accurate display of the OCSP configurations while the feature is disabled.

Workaround:
N/A

Fix:
Starting in F5OS 1.8.0, OCSP configurations are accurately displayed even if the feature is disabled.

1294005 : CVE-2019-20907 python: infinite loop in the tarfile module via crafted TAR archive

Links to More Info: K78284681

1293305 : LAG interface status is not updated on the BIG-IP tenant

Links to More Info: BT1293305

Component: F5OS-A

Symptoms:
Symptom 1: Trunk is down in tenant but the LAG is up in F5OS-A.
Symptom 2: LAG is down in F5OS-A but the trunk is up in tenant.

Conditions:
For symptom 1:
1. Set up new rSeries device.
2. Config static LAG and VLAN.
3. Deploy new tenant.
4. In tenant, LAG will be shown as down but interfaces shown as up.
5. This happens only at initial tenant deployment.

For symptom 2:
1. LAG is shown as down in F5OS-A.
2. Trunk is shown as up in tenant.

Impact:
Symptom 1:
On r2x00/r4x00 platforms, as LAG will be in DOWN state, datapath will not be working.

Symptom 2:
On r2x00/r4x00 platforms, LAG status is shown as UP but it's actually DOWN on the platform. Datapath will not be UP, but as LAG is UP in tenant we expect Datapath to be UP.

Symptom 3:
If trunks are used for HA Group the scores associated to the trunks are not deducted from the overall health scores regardless of whether the interfaces in the trunks are up or not.

Workaround:
For symptom 1:
Restarting "system_api_svc_gateway" service on host.
#docker restart system_api_svc_gateway

For symptom 2:
Restarting "system_api_svc_gateway" service on host.
#docker restart system_api_svc_gateway

1293013 : "show components component storage state disks disk state" is not auto populating

Component: F5OS-A

Symptoms:
"show components component storage state disks disk state" command does not show data.

But State data is shown using cmd - “show components component storage state”.

Conditions:
N/A

Impact:
No functional impact.

Workaround:
“show components component storage state” can be used for displaying state data.

Fix:
Removed the state option for disk i.e “show components component storage state disks disk state” or “show components component platform storage state disks disk state” as the data can be displayed using "show components component storage state".

1292405 : CVE-2022-25147 apr-util: out-of-bounds writes in the apr_base64

Links to More Info: K000137702, BT1292405

1291461 : LCD shutdown does not work on r2800 and r4800 platforms

Links to More Info: BT1291461

Component: F5OS-A

Symptoms:
In F5OS-A versions 1.4.0 and later, the button on the LCD menu that is used to shut down the system, when pressed, does not shutdown the system.

Conditions:
With F5OS-A 1.4.0 or later installed, from the LCD touchscreen, click the System button. Select Shutdown from the menu. Click the Shutdown button at the 'Shutdown the system?' prompt.

Impact:
The LCD touchscreen is lacking functionality the user is expecting it to have.

Workaround:
In an external terminal, connect to the unit's AOM. Select P for "Power on/off host subsystem", and then 0 for "Turn host subsystem off". Or, if the system is off, 1 for "Turn host subsystem on"

Fix:
Going into the AOM menu and powering off or powering on the system works as expected and achieves the same thing as using the LCD Shutdown button.

1291353 : LCD application does not update if appliance is power-cycled during firmware update

Component: F5OS-A

Symptoms:
After an OS update, an automatic firmware update runs and attempts to update all necessary firmware images. If the appliance is power-cycled or rebooted while the LCD application is being updated, the LCD update can fail and the system will report the old firmware version.

Conditions:
The OS is updated and an LCD firmware update is required. During that update, the appliance is rebooted or power-cycled, causing the LCD application update not to complete.

Impact:
The LCD application has not been updated and needs to be updated to get the latest features and bug fixes.

Workaround:
After verifying that the automatic firmware update process is complete, wait at least 5 minutes, look at the file /var/F5/system/AFU_COMPLETE, look for "AFU_STATUS: FWU_DONE", restart the system allowing automatic firmware to restart, and reprogram the LCD.

Fix:
After updating the OS, if the LCD firmware update failed, wait at least 5 minutes and verify AFU is complete by looking at the file /var/F5/system/AFU_COMPLETE and looking for "AFU_STATUS: FWU_DONE"; restart the system allowing automatic firmware to restart and reprogram the LCD.

1291305 : LACP Mode is passive for a static trunk in tenants running r2800/r4800 platforms

Component: F5OS-A

Symptoms:
LACP Mode set to active or passive mode causes a LAG to participate in negotiation whereas a static LAG configuration does not participate in negotiation. Hence lacp-mode does not make sense for static LAG interfaces.

Conditions:
When a static LAG is created on a platform, and a tenant is launched with a VLAN to which the static LAG interface is associated.

Impact:
An LACPd daemon is running on R2800/R4800 platforms which is responsible for running LACP protocol; the tenant is not dependent on LACP mode configurations and hence there will not be any impact. This is more of a display issue where one might confuse displaying LACP mode as passive for a static LAG interface.

Workaround:
There is no workaround for this behavior.

1290941 : LLDP/STPD/LACPD in rSeries is flooding SEP_POLLERR when dma-agent restarts

Links to More Info: BT1290941

Component: F5OS-A

Symptoms:
Below log is flooded in platform.log when dma-agent restarts
"SEP library in ERR state, sep_client_poll() returns SEP_POLLERR".

Conditions:
dma-agent restart.

Impact:
l2 functions such as LLDP/STPD/LACPD will be affected.

Workaround:
Reboot the device.

Fix:
Fixed code from flooding logs.

1290617 : Display option "universal-time" is not supported

Links to More Info: BT1290617

Component: F5OS-A

Symptoms:
The display option "universal-time" is a built-in third-party command that F5OS does not support.

Conditions:
User attempts to access the built-in third-party command "universal-time."

Impact:
The correct output for "universal-time" is not displayed. Proper documentation for this third-party command also cannot be found.

Workaround:
N/A

Fix:
F5OS has suppressed this display option.

1290237 : Modified network prefix range for the internal addresses on rSeries

Links to More Info: BT1290237

Component: F5OS-A

Symptoms:
In the older versions, the prefix shows /16. It has been modified to /12 in the current release.

Conditions:
In case of running below help command.

$ system network config network-range-type RFC1918 prefix ?
Description:
The network prefix index is used to select the range of IP addresses
used internally within the appliance. The network prefix should be
selected such that internal appliance addresses do not overlap with
site-local addresses that are accessible to the appliance.

Network Prefix Index Appliance Network Range
0 10.[0-15].0.0/12
1 10.[16-31].0.0/12
2 10.[32-47].0.0/12
3 10.[48-63].0.0/12

Impact:
No functionality impact.

Workaround:
N/A

Fix:
N/A

1290053 : VELOS Software version may not be collected consistently across platform by QKView

Component: F5OS-A

Symptoms:
The QKView version format is different as collected by F5OS-A and F5OS-C, and this is reflected when the QKView is displayed by the iHealth service.

Conditions:
This always occurred when capturing a QKView.

Impact:
Occasional parsing difficulties on the iHealth service.

Workaround:
Examine the /etc/PRODUCT file contained in file collection for the host subpackage.

Fix:
Version information format as reported in the manifest.json file within a QKView is now consistent between F5OS-A and F5OS-C.

1289633 : FIPS devices show incorrect vCPUs

Component: F5OS-A

Symptoms:
1. The Dashboard System Summary shows 36 vCPUs rather than the actual number of vCPUs available for Tenant Deployment.
2. The Add/Edit Tenant deployments screen allows selecting up to 36 vCPUs instead of the maximum vCPUs that the platform supports.

Conditions:
FIPS device.

Impact:
No functional impact.

Workaround:
Users can view the correct value for total vCPUs for tenant deployment on the device from the CLI using the following command:

"show cluster nodes node node-1 state node-info"

Fix:
vCPUs information will show appropriately on the dashboard based on the platform support, and Add/Edit Tenant deployment screen will have vCPU options up to the maximum that the platform supports and not beyond that.

1289581 : Certain tenant configuration options should be unavailable on webUI after tenant deployment

Component: F5OS-A

Symptoms:
In the "Edit Tenant Deployments" screen on the webUI, certain configuration options are not allowed after the tenant is created. Some other configurations are not allowed when the tenant is in "running" state. These options are still enabled for editing instead of being disabled.

Conditions:
A user edits tenant configurations that they should not be able to change once a tenant is created or in "running" state.

Impact:
A server error will be shown to the user if they change the configurations.

Workaround:
N/A

Fix:
The options that are not allowed to be configured cannot be edited now.

1288937 : Interface persists with removed VLAN

Links to More Info: BT1288937

Component: F5OS-A

Symptoms:
When a VLAN is deleted while being referenced by an interface or LAG, it cannot be de-referenced from the interface/LAG.

Conditions:
Delete the VLAN before removing the VLAN from the interface.

Impact:
Cannot add the interface to a LAG after deleting VLAN(s) that used the interface.

Workaround:
Recreate the removed VLAN, then edit the interface which shows defined VLAN, remove the defined VLAN, then remove the recreated VLAN.

Fix:
With the fix, the user will be able to view and remove the VLAN in the Add/Edit Interface/LAG screen even if the VLAN was deleted, and thus will be able to detach it from the interface/LAG.

1288897 : Allowed IP rule name, which contains all underscores, will be deleted while upgrading to F5OS-A 1.7.0 and later versions

Links to More Info: BT1288897

Component: F5OS-A

Symptoms:
Customer are able to create an allowed-ip rule with a name containing all underscores, hyphens or dots, which is not readable.

Conditions:
Creating an allowed-ip rule with a name which contain only allowed special characters.

Impact:
Created allowed-ip rule, with a name containing only underscores, hyphens or dots, will be deleted during upgrade.

Workaround:
Customer must rename the allowed-ip rule name that contain all special characters with a name containing at least one alpha-numeric character before upgrading to F5OS-A 1.7.0 or later Versions.

1287993 : Incorrect PSU mismatch indication for two Murata M1845 PSUs operating at different AC input voltages

Links to More Info: BT1287993

Component: F5OS-A

Symptoms:
If two Murata M1845 AC PSUs are installed in the system and one is operating with an AC input at or above 100V and the second is operating with an AC input below 100V, then an incorrect PSU mismatch condition may occur.

Use the F5OS command "show components" to view voltage details for the PSUs.

Conditions:
Two Murata M1845 AC PSUs, one with an AC input at or above 100V and the other with an AC input below 100V.

Impact:
An incorrect "PSU mismatch" condition may occur.

Workaround:
Ensure both Murata M1845 AC PSUs have input voltage at or above 100V or below 100V.

Fix:
There is no PSU mismatch for two M1845 PSUs that are operating at different AC input voltages.

1287073 : EHF build number is not being displayed in ConfD

Component: F5OS-A

Symptoms:
The EHF build number is not being displayed in ConfD. The only thing being displayed is the type of build. There is no way to identify the build number of the EHF build.

Conditions:
Using 'show system image' in the CLI, there is no way to identify the build number of the EHF build.

Impact:
User is not able to identify the build number of the EHF build in ConfD if multiple EHF builds are present.

Workaround:
N/A

Fix:
The build number of the EHF build is now included underneath 'Type'.

1286453 : Unable to transfer files with admin account using SCP

Links to More Info: BT1286453

Component: F5OS-A

Symptoms:
Unable to copy files from a rSeries device with the admin account using SCP.

Conditions:
- Create a packet capture from the ConfD CLI (using system diagnostics tcpdump).
- Try to copy the file with admin credentials using the SCP command.

Impact:
Users with admin credentials are unable to copy files using SCP.

Workaround:
N/A

Fix:
Added support for file transfer for admin users in specific directories.

1286285 : ISO with special characters in name will not import

Links to More Info: BT1286285

Component: F5OS-A

Symptoms:
An ISO named with special characters like "()" will not be imported and gets deleted from the import directory silently.

Conditions:
Only when the ISO name contains special characters.

Impact:
User will not have any status on the imported image with a name that contains special characters.

Workaround:
No workaround.

Fix:
The "show system image" API will display the status as "Import error. File name is incorrect."

1286165 : Ping failing after removing aggregate ID from interface and adding trunk VLANs in the same commit

Links to More Info: BT1286165

Component: F5OS-A

Symptoms:
Ping to self IP of tenant failing.

Conditions:
This issue will be observed only when tried from F5OS ConfD CLI.

Removing aggregate ID and assigning trunk VLANs to an interface in the same commit from ConfD CLI.

Impact:
Ping to self IP of tenant will fail.

Workaround:
From F5OS CLI
1)Remove aggregate ID from interface.
2)commit the changes.
3)Add trunk VLANs to interface and commit the changes.

For example:
1)no interfaces interface 3.0 ethernet config aggregate-id
2)commit; top
3)interfaces interface 3.0 ethernet switched-vlan config trunk-vlans [ 3700 3800 3900 ]
4)commit

Fix:
NA

1285969-1 : Some aggregation interface names can cause ethernet interfaces in LACP aggregations to be erroneously down

Links to More Info: BT1285969

Component: F5OS-A

Symptoms:
One or more interfaces in LACP aggregations may be considered down when they should not be.

Conditions:
Internally, LACPD hashes interfaces to an integer, and some aggregation interface names hash will collide with ethernet interface name hash. Changes to the these aggregation interfaces can impact the ethernet interface.

Impact:
Traffic through the affected ethernet interface in LACP aggregations may be disrupted. This can cause either degraded performance or traffic failure for LACP aggregations that the interface is a member of.

Workaround:
Only use aggregation interface names that don't hash to the same port numbers as ethernet interfaces.

In order to determine if an existing aggregation interfaces port number conflicts with an ethernet interface, review the lacpd_interface_stat table.

For a VELOS partition, use the lacpd container on any blade in the partition to run tmctl.
For an appliance, use system_lacpd container to run tmctl.

The following example from a rSeries appliance shows the aggregation interface "vlag" with the same port number as interface 1.0

[root@appliance-1 ~]# docker exec -it system_lacpd bash

[root@appliance-1 partition]# tmctl lacpd_interface_stat -s name,port_num
name port_num
---- --------
1.0 1024
10.0 10240
2.0 2048
3.0 3072
4.0 4096
5.0 5120
6.0 6144
7.0 7168
8.0 8192
9.0 9216
mgmt 43008
vlag 1024

If an aggregation interface hashes to the same port number an Ethernet interface:

1. Delete the conflicting aggregation interface

2a. You can either restart the lacpd containers

    or

2b. Reboot the appliance, or for VELOS reboot each blade in the partition.

Fix:
Aggregation interface names will never impact ethernet interfaces in a LACP aggregation.

1285669-2 : CVE-2022-21216 - Intel BIOS vulnerabilities on r2000/r4000 and r5000/r10000/r12000

Links to More Info: K000133432

1285105 : Users are seeing prompt cannot identify you when password expires.

Links to More Info: BT1285105

Component: F5OS-A

Symptoms:
When a user uses SSH to connect to the system with an expired password, the system will show a prompt indicating it cannot identify the user.

Conditions:
User's password has expired.

Impact:
Only users whose password has expired. Impact is negligible.

Workaround:
Reset password.

Fix:
The behavior is controlled through nss-pam-ldapd interactions with sshd. Now users will see the correct message indicating that the password has expired.

1284681-1 : IPv6 connections made through port 80 fail

Links to More Info: BT1284681

Component: F5OS-A

Symptoms:
IPv6 connections made through port 80 are failing as there are no NAT rules present for port 80.

Conditions:
Issue is observed in all conditions.

Impact:
IPv6 connections through port 80 will fail.

Workaround:
N/A

Fix:
Added a NAT rule for port 80 which allows IPv6 connections.

1284269 : Config restore fails if it contains an SNMP user

Links to More Info: BT1284269

Component: F5OS-A

Symptoms:
Error when restoring the config

appliance-1(config)# system database config-restore name with.mgmt.snmpuser.xml
A clean configuration is required before restoring to a previous configuration.
Please perform a reset-to-default operation if you have not done so already.
Proceed? [yes/no]: yes
Error: access denied
Database config-restore failed.

Conditions:
Backup contains an SNMP user.

Impact:
Cannot restore configuration.

Workaround:
No workaround.

Fix:
Issue is fixed. Now the user can take a configuration backup and restore it, even with an SNMP user configured.

1284193 : GRUB2 vulnerability CVE-2022-28733, Samba vulnerability CVE-2021-20277, DHCP vulnerability CVE-2021-25217

Links to More Info: K000132893, BT1284193

1284089 : Running RPM package should not be removed one by one without a reboot in between

Component: F5OS-A

Symptoms:
A running RPM package cannot be removed without a reboot in between.

Conditions:
A reboot is required in between packages removals to prevent the next package removal from failing.

Impact:
A running RPM package cannot be removed without a reboot in between.

Workaround:
Wait until the reboot happens to perform the next package removal.

Fix:
Until the first removal is complete, block the user from performing the next removal.

1283641 : Docker network is not updating as part of internal IP ranges configurations

Links to More Info: BT1283641

Component: F5OS-A

Symptoms:
Docker network needs to be updated as per network-range-type.

Conditions:
Configuring the network-range type is not affective on docker network.

Impact:
This bug causes docker network to not update as per network-range-type.

Workaround:
Edit the/etc/sysconfig/docker file manually and restart the docker.

Fix:
The root cause was '/etc/sysconfig/docker' getting overridden while running pre-deployment-setup. This task fixes the above issue.

1282757-2 : On upgrade, systems might overwrite key due to automatic firmware updating

Links to More Info: K000133379, BT1282757

Component: F5OS-A

Symptoms:
When upgrading to a new version (such as 1.4.0), automatic firmware updates occur, and these interfere with the encryption key retrieval, causing a new key to be generated, which blocks api-service-gateway.

Conditions:
Upgrading to a new version where automatic firmware updates get started at boot-up.

Impact:
The api-service-gateway container does not come up and there is no communication with the tenant.

Workaround:
Docker exec -it system_manager bash
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-key"
/confd/bin/confd_cmd -c "mdel /tenants/platform-self-signed-cert/self-signed-cert"

Fix:
The encryption key will not generate a new key unless the TPM module has none. The code will continue to retry until it succeeds or ConfD timeout occurs (300 seconds).

1282185-1 : Unable to restore backup file containing expired TLS certificate

Component: F5OS-A

Symptoms:
If a user attempts to restore a configuration backup whose contents include a TLS certificate that has expired, the configuration restore will fail.

Conditions:
User attempts to restore a configuration backup file which contains an expired TLS certificate.

Impact:
User is unable to restore their backed up configuration.

Workaround:
While there is no workaround for the issue, once the backup has been collected, this can be avoided by de-configuring any TLS certificates before collecting a configuration backup, and re-setting them manually after the configuration backup has been restored.

Fix:
Fixed issue where configuration backup files containing expired TLS certificates could not be successfully used for configuration restore.

1282161 : Diagnostic agent stops displaying firmware update status banner even though firmware update is not complete

Component: F5OS-A

Symptoms:
The firmware update status banner is not showing in the webUI or the ConfD CLI when there is a firmware update in progress.

Conditions:
Occurs when the firmware update is taking a long time.

Impact:
When the user logs onto ConfD CLI or the webUI, the firmware update status banner will not be shown.

Workaround:
N/A

Fix:
The banner now correctly displays on the ConfD CLI and the webUI when there is a firmware update in progress.

1281857-2 : Repeated disabling and enabling of link partner interface might result in datapath corruption

Links to More Info: BT1281857

Component: F5OS-A

Symptoms:
Packets received on an interface are corrupted or lost after a link partner interface is repeatedly disabled and then enabled within relatively short windows of time.

Conditions:
A link partner interface is repeatedly disabled and then enabled within relatively short windows of time.

Impact:
Dataplane services on the given interface will be inoperable.

Workaround:
The product must be rebooted to recover.

Fix:
An FPGA firmware fix was implemented to add an additional clock to an internal component that served to isolate noise between the MAC and itself.

1281749 : Hashed/encrypted passwords are getting logged

Links to More Info: K000134922, BT1281749

1281165 : CVE-2023-0767 in nss-tools-3.67.0-4.el7_9

Component: F5OS-A

Symptoms:
An attacker may create a PKCS 12 certificate bundle to exploit mishandling of PKCS 12 Safe Bag attributes, leading to arbitrary memory writes.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Upgraded to a non-vulnerable version of nss-tools.

1281157 : CVE-2023-0767 in nss-sysinit-3.67.0-4.el7_9

Component: F5OS-A

Symptoms:
An attacker may create a PKCS 12 certificate bundle to exploit mishandling of PKCS 12 Safe Bag attributes, leading to arbitrary memory writes.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Updated to a non-vulnerable version of nss-sysinit.

1281149 : CVE-2023-0767 in nss-3.67.0-4.el7_9

Component: F5OS-A

Symptoms:
An attacker may create a PKCS 12 certificate bundle to exploit mishandling of PKCS 12 Safe Bag attributes, leading to arbitrary memory writes.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Upgraded to a non-vulnerable NSS version.

1281141 : CVE-2022-37434 in zlib-1.2.7-20.el7_9

Links to More Info: K67213091, BT1281141

1280985 : CVE-2021-44716: Excessive memory consumption with HTTP/2 requests in golang

Component: F5OS-A

Symptoms:
net/http in Go before 1.16.12 and 1.17.x before 1.17.5 allows uncontrolled memory consumption in the header canonicalization cache via HTTP/2 requests.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Go has been upgraded to a non-vulnerable version.

1280977 : CVE-2022-28131: Panic when encoding for deeply nested xml in golang

Component: F5OS-A

Symptoms:
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Golang has been upgraded to a non-vulnerable version.

1280969 : CVE-2022-41721: Request smuggling possible using HTTP2 in golang

Component: F5OS-A

Symptoms:
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Golang has been updated to a non-vulnerable version.

1280961 : CVE-2022-27664: DOS Possible if fatal error in HTTP/2 using golang

Component: F5OS-A

Symptoms:
In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Go has been upgraded to a non-vulnerable version.

1280953 : CVE-2021-33194: DOS attack possible using ParseFragment input in golang

Component: F5OS-A

Symptoms:
golang.org/x/net before v0.0.0-20210520170846-37e1c6afe023 allows attackers to cause a denial of service (infinite loop) via crafted ParseFragment input.

Conditions:
NA

Impact:
NA

Workaround:
NA

Fix:
Golang has been updated to a non-vulnerable version.

1280833-1 : The error message is not correct when enabling client-cert (Client Certificate Authentication) before setting verify-client (Client Certificate Verification) to true

Links to More Info: BT1280833

Component: F5OS-A

Symptoms:
An error on the ConfD CLI occurs when the user tries to enable Client Certificate Authentication before setting Client Certificate Verification to true. The error message given by this condition is not correct.

Conditions:
- User trying to enable Client Certificate Authentication when Client Certificate Verification is set to false.

Impact:
Due to the incorrect error message, the user is not able to enable Client Certificate Authentication.

Workaround:
N/A

Fix:
Provide a proper error message when user tries to enable Client Certificate Authentication before setting Client Certificate Verification to true.

1280749 : OCSP server state data and actual configured data is different in ConfD CLI

Component: F5OS-A

Symptoms:
The OCSP server data shown from non-config mode in the ConfD CLI is different from actual configured data.

Conditions:
- Showing state data related to OCSP server from ConfD CLI.

Impact:
Inability to check the actual OCSP server value from non-config mode.

Workaround:
Workaround is to run 'show running-config' from non-config mode.

Fix:
When the user sets new values for the OCSP server configuration, the state data is updated as well so that the user can see the actual values from non-config mode.

1280441 : When no parameter is given for 'system aaa tls create-self-signed-cert', encrypted key-type does not ask for passphrase

Links to More Info: BT1280441

Component: F5OS-A

Symptoms:
When requesting a self-signed-cert, if the key-type is encrypted, then a passphrase is required. However, if no parameters are supplied, the key-type is then requested as a mandatory parameter, but won't ask for passphrase if encrypted type is selected.

Conditions:
No parameters passed to the config: system aaa tls create-self-signed-cert.

Impact:
An error indicates that the passphrase wasn't supplied, but it never was asked for in these conditions.

Workaround:
Specify key-type as a parameter and then if encrypted, the passphrase will be requested.

Fix:
The key-type is no longer a mandatory field and simply defaults to RSA. There is no conflict with not passing any parameters.

1280413 : F5OS adds OpenTelemetry export capability

Component: F5OS-A

Symptoms:
Previous versions of F5OS did not support exporting metrics via the OpenTelemetry line protocol over gRPC.

Conditions:
When enabled via the ConfD CLI or RESTConf API, the end user can export selected metrics and logs to an OpenTelemetry collector for post processing. The export process uses the OTEL gRPC line protocol for metric/log export.

Impact:
Adds improved observability to the F5OS platform layer.

Fix:
Reference the F5OS-A on-line documentation to see how to enable the OpenTelemetry exporter.

1280365-2 : WebUI and shell admin access unavailable after upgrade to when one of the previously installed images is no longer present★

Links to More Info: K000133253, BT1280365

Component: F5OS-A

Symptoms:
1. WebUI or CLI inaccessible via admin account (that is, ConfD is not up):
[root@appliance-1(XXXXXXXXX) log]# su admin
Failed to connect to server

2. sw-mgmt.debug file will have a line similar to this one (with image version changing depending on which image is missing):
DEBUG: Source file /var/export/chassis/import/.mounts/iso/R2R4/1.1.1-9159/m3/*-services/F5OS*.img does not exist, removing from all_sw.

3. Containers stuck in ImagePullBackOff. For example, system_network container cannot be pulled, and the following error is observed in messages log:

appliance-1 dockerd-current: time="2023-03-24T15:09:26.631359235Z" level=error msg="Not continuing with pull after error: Error: image system_network:1.4.5-f5os-a-1-4-0-candidate.2023-02-14-15-09-15.S9b340f7e not found"

Conditions:
Both of the below conditions:

1. Certain ISO image has been ungracefully removed from the /var/import/staging folder. Examples of ungraceful removals:
-- Deleted via bash (after running chattr -i <image name>)
-- Image name had parentheses in it and as per ID1273021 it is wiped out upon reboot.

2. /var/import/import.json file includes reference to removed image that is listed BEFORE the reference to currently used image.

Impact:
Device webUI is inaccessible. Cannot access ConfD. Root access is working.

Workaround:
Two workarounds:
1. Re-import the deleted image and reboot the box.
2. Remove the whole section that references the deleted image from import.json file and reboot the box.

Fix:
N/A

1280237-3 : Notification streams are sometimes empty using 'restconf/streams/platform-stats/json' API endpoint

Links to More Info: BT1280237

Component: F5OS-A

Symptoms:
When using the 'restconf/streams/platform-stats/json' API endpoint, the JSON object could be empty instead of being populated with platform stats.

Conditions:
The initial discovery of platform-stat had a logic flaw which prevented drive information from being correctly discovered. This caused the rest of the JSON object from being populated.

Impact:
The platform-stats notification stream endpoint would return an empty object instead of platform-stat data.

Workaround:
N/A

Fix:
The logic flaw has been resolved and the platform-stat notification stream is fully populated with stat information.

1280205-1 : A manual license install does not log success message

Links to More Info: BT1280205

Component: F5OS-A

Symptoms:
When a user is installing a license manually, the manual license installation process does not log the success message in velos.log.

Conditions:
Always occurs when license is manually installed.

Impact:
Successful installation message is not captured in velos.log.

Workaround:
N/A

Fix:
Successful log message is captured when license is manually installed.

1273861 : Api_svc_gateway container stuck in restarting phase

Component: F5OS-A

Symptoms:
Tenants will not get deployed properly.
api_svc_gateway will be stuck.

Conditions:
When loaded 1.4.0 and above F5OS-A versions and multiple reboots happen (could be from license change or firmware upgrade).

Impact:
Tenants won't be deployed.

Workaround:
1. Deleted the CDB entry of the certificates.
2. Deleted the tenants.
3. Rebooted the system.
4. Redeployed tenants.

Fix:
A new F5OS release with the fix will be provided.

1273845 : Removing or manually adding TLS Certificate & Key on webUI removes whole TLS configuration

Links to More Info: BT1273845

Component: F5OS-A

Symptoms:
Manually adding TLS Certificate & Key on webUI instead of storing through Self-Signed Certificate or removing Certificate & Key removes TLS configuration, which includes verify-client and verify-client-depth.

Conditions:
- When there is an existing Verify Client and Client Depth configuration, and user tries to remove TLS Certificate & Key on Certificate Management screen on webUI.

- When user fills the TLS Certificate & Key on Certificate Management screen on webUI.

Impact:
Verify Client and Client Depth configuration of Certificate Authentication will be changed to default values which disables verification of httpd client certificates.

Workaround:
- Remove or Add TLS Certificate & Key through CLI.
- While creating Self-Signed Certificate, set "Store TLS" field as true
- Re-add Verify Client and Client Depth after removing or manually adding TLS Certificate & Key.

1273581 : CVE-2023-25690 httpd: HTTP request splitting with mod_rewrite and mod_proxy

Links to More Info: K000133098, BT1273581

1273449 : Tenant configuration with more VCPUs than allowed

Component: F5OS-A

Symptoms:
Tenant status is showing insufficient VCPUs. The number shown in the status is wrong.

Conditions:
The issue will not be seen in 1.6.0.

In 1.5.0, it allows more VCPUs than should be allowed.
However, it gets blocked by K3S.

Impact:
No functionality impact.

Workaround:
N/A

Reconfiguring the tenant with fewer VCPUs, but it needs to bring down the tenant.

Fix:
The issue is fixed in 1.6.0.

1273025 : Once TACACS server-group is configured on a non-default port, on downgrade virt-handler pod gets into a crash loopbackoff state because of SELinux corruption

Links to More Info: BT1273025

Component: F5OS-A

Symptoms:
Virt-handler pod is crashing upon downgrading from F5OS-A 1.4.0 to F5OS-A 1.3.2, and a tenant is stuck in pending state.

Conditions:
Configure TACACS server-group on a non-default port (that is, other than port 49) and downgrade from F5OS-A 1.4.0 to F5OS-A 1.3.2.

Impact:
Tenant becomes stuck in pending state.

Workaround:
Two workarounds:

1. Configure standard port (49) for the TACACS server instead of a non-standard port. Using the standard port should not trigger these issues. Releases older than F5OS-A 1.4.0 do not correctly support any port other than 49 for the TACACS server.

2. Fix SELinux policy on the appliance:

a. cp selinux module from /usr

cp /usr/etc/selinux/targeted/active/modules/400/f5_appliance to /etc/selinux/targeted/active/modules/400/f5_appliance

b. Reboot the device

reboot

Fix:
Enforce closure of non-standard port every time configuration is updated or system is shut down. This avoids leaving ports open for which SELinux may not have exceptions.

Note this does not address the non-standard port in older releases when downgrading. Non-standard ports for TACACS are still not properly supported in the older release.

1273021 : ISOs imported with regex special characters in their names are getting deleted★

Links to More Info: BT1273021

Component: F5OS-A

Symptoms:
Downgrade/upgrade issues are seen when upgraded ISO has special characters in the file name

If an F5OS-A ISO with a filename containing 'special characters' ('+ , * , ? , ^ , $ , ( , ) , [ , ] , { , } , | , ＼') is imported, and the system is downgraded/upgraded to that version, it can result in the upgrade failing and the ISO being automatically removed.

Conditions:
1. Download and import an ISO with a 'special character' in its name, example 'F5OS-A-1.5.0-*.iso'.
2. Attempt an upgrade to the imported ISO version.
3. Upgrade will fail.

Impact:
An upgrade to a version of software marked as successfully imported can fail unexpectedly, requiring manual intervention to recover the system.

Docker container services will not come up.

Workaround:
1. Before performing a platform software upgrade, compare versions referenced by the "show system image" ConfD CLI command with the names of files present in the "/var/import/staging” directory.
If the iso is not present in /var/import/staging but it is shown in "show system image" command output, then import again to "/var/import/staging”.

2. If there is any iso file with a name containing a special character present in "/var/import/staging” remove that version of platform software and re-import it by re-downloading the file with a name that does not include special characters. You may then attempt upgrade.
3.In-order to remove that iso file with a name containing a special characters use below command.
appliance-1(config)# system image remove iso <iso version>
4.In scenarios where above command fails or not possible to use above command
please follow below procedure to delete the image.
  * login to the device using root.
  * chattr -i "/var/import/staging/<iso with special characters>”
  * rm -rf "/var/import/staging/<iso with special characters>”

Incase downgrade or upgrade failure is already happened, because this issue,
follow these steps to recover the system:
1.Download another copy of the ISO with a proper name to /var/import/staging.
2.Wait for five minutes for it to import. if confd is unavailable, you can check the logs in /var/log/sw-mgmt.debug for import status.
3.Once the import is complete, reboot the system. This should recover the system.

Fix:
Import of ISO with special characters is blocked.

1273017 : LACPD restarts when changing aggregation lag-type through configuration utility webUI

Links to More Info: BT1273017

Component: F5OS-A

Symptoms:
The Link Aggregation Control Protocol Daemon (LACPD) will restart. An LACP aggregation's interface can be permanently down, restricting traffic from passing on that interface.

Conditions:
-An aggregation interface's lag-type is set to static through configuration utility.

Impact:
One or more physical interfaces associated with an LACP aggregation can be erroneously marked down indefinitely, causing either degraded performance, or complete traffic failure.

Performance degradation may not occur, but the LACPD process will always restart.

Workaround:
- Toggle any affected interface to disable and then back to enable.
- Toggle any affected aggregation interface to static and then back to LACP.
- Reboot the system.

Fix:
LACPD will not restart when an aggregation is configured to static through the configuration utility. Few warnings can be logged when this operation occurs. These warnings can be ignored if seen while changing an aggregation's lag-type through configuration utility.

1271973 : Disabling 1G/10G BaseT interface in F5OS does not make the link down on the peer port

Links to More Info: BT1271973

Component: F5OS-A

Symptoms:
An external switch connected to one of the 1G/10G BaseT interfaces will show link-up even when the interface is disabled in F5OS.

Conditions:
When a 1G/10G BaseT interface is connected to an external switch and is disabled in F5OS.

Impact:
The external switch link-up is misleading since the interface is actually disabled on the F5 system.

Fix:
Disabling 1G/10G BaseT interfaces in F5OS now brings the link down.

1270837 : The Account Locked field on the Edit User page does not lock out users nor display correct locked status

Links to More Info: BT1270837

Component: F5OS-A

Symptoms:
Changing the Account Locked field on the Edit User page does not lockout a user, nor does the field correctly represent the locked status of a user.

Conditions:
Using the Account Locked field in the webUI.

Impact:
Users are allowed to log in even if the Account Locked status is changed to True and the account is truly locked.

Users are unable to log in even if the Account Locked status is changed to False, and the account is truly unlocked.

Workaround:
To lock or unlock a user, use the CLI to set the user's expiry date to 1 for locked and -1 for unlocked.

Following is an example:

Locked

(config)# system aaa authentication users user <username> config expiry-date 1
(config)# commit

Un-locked

(config)# system aaa authentication users user <username> config expiry-date -1
(config)# commit

Fix:
On the webUI the "Account Locked" widget will be replaced by the "Expiry Status" configuration which will allow locking the user in a similar fashion as the CLI.

1270473-1 : On firmware upgrade from CLI, wrong console message displayed

Links to More Info: BT1270473

Component: F5OS-A

Symptoms:
When the firmware upgrade command from ConfD CLI is executed, on success it displays the below message:

Result FIPS firmware has been set successfully. Please reset HSM to reflect the update!

The HSM reset does a factory reset and wipes the HSM.

Conditions:
On firmware upgrade from ConfD CLI, the wrong console message is displayed to the user.

Impact:
If HSM resets, it factory resets the HSM and wipes it.

Workaround:
Do not reset HSM; instead reboot the system to get the new firmware reflected.

Fix:
N/A

1269989-1 : tcam-manager may get stuck using 100% CPU

Links to More Info: BT1269989

Component: F5OS-A

Symptoms:
After running a QKView or tcam-dump by itself, tcam-manager does not clean up the diagnostic socket, which results in a tight loop and pegging the CPU at 100% utilization. This in turn starves other platform processes (such as dma-agent), which causes performance degradation.

Conditions:
A QKView or tcam-dump, which is included in QKView, is run.

Impact:
Performance degradation.

Workaround:
The issue can be avoided by not running QKView.

Fix:
After tcam-dump completes, the corresponding socket is properly removed.

1267253 : LDAP shadowExpire attribute not honored

Links to More Info: BT1267253

Component: F5OS-A

Symptoms:
When using LDAP authentication, usage of the shadowExpire and related attributes will not enforce expiration on the F5 device.

Conditions:
LDAP authentication is configured. LDAP shadowExpire, shadowMax, and related attributes are set such that the user should be expired.

Impact:
User with expired attributes can log into F5 device.

Workaround:
Either remove the user from groups with roles that allow access to the F5 device (for example, F5OS admin role gidNumber) or delete the user.

1267205 : Status field in "show system image" reports error when upgrading to 1.5.0★

Links to More Info: BT1267205

Component: F5OS-A

Symptoms:
Although patch ISOs are removed from the system, services filed still show entry for base service with status as error.

Ex:
VERSION IN
SERVICE STATUS DATE SIZE USE TYPE
------------------------------------------------------
1.3.0-8327 error 1 1 false
1.1.0-7645 error 1 1 false

Conditions:
This occurs after upgrading from a patched version.

Impact:
There is no impact to the system.

Workaround:
Workaround #1: This is for the issue when you have removed older images from prior to the upgrade to F5OS-A-1.5.0.

1. Remove all service entries which status shows as "Error" in show command from the /var/import/import.json file and save and close it.
ex:
{
   "date": "2022-11-06",
   "platform": "R5R10",
   "status": "100",
   "source": "/var/export/chassis/import/preserved_sources/F5OS-A-1.3.1-8863.R5R10.CANDIDATE.img",
   "version": "1.3.0-8327",
   "component": "services",
   "port": "2006",
   "size": 2519765504,
   "error": "",
   "subcomponents": []
  },

2. Do any of the steps
- systemctl restart sw-mgmt.service
- docker restart system_image_agent

or
reboot the system

3.
Now the system will remove the error flag from "show system image" output and we can delete these services from CLI/webUI.

Workaround #2:
To avoid such error in "show system image" output, first upgrade to 1.5.0 and then remove the older ISO (1.3.2,1.3.1,1.1.1 etc).

1267201 : "Unexpected response back from API" error message when deleting ISO

Links to More Info: BT1267201

Component: F5OS-A

Symptoms:
When there are two patch builds using one base version, for example, if there are two ISOs imported, such as 1.3.2 and 1.3.1.

We are unable to delete 1.3.1 when the system is running on 1.3.2; 1.3.2 and 1.3.1 are dependent on 1.3.0 but not on each other.

Upon removal of 1.3.1 ISO we get the error message : "Unexpected response back from API"

Conditions:
When there are two patch builds using one base version, for example, if there are two ISOs imported, such as 1.3.2 and 1.3.1.

Impact:
Unable to remove the inactive ISO to free space for importing new ISOs.

Workaround:
We can manually delete the ISOs using chattr -i ISOfile, followed by deleting the file manually.

1266197 : CVE-2022-4254 sssd: libsss_certmap fails to sanitise certificate data used in LDAP filters

Links to More Info: K000136157, BT1266197

1263941 : CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user

Links to More Info: K000132667, BT1263941

1256897-2 : Deleting an ECDSA curve using the CLI takes a while to restart the http-server with the default RSA certificate.

Component: F5OS-A

Symptoms:
After setting a valid ECDSA curve type:
  prime256v1   X9.62/SECG curve over a 256 bit prime field
  secp384r1    NIST/SECG curve over a 384 bit prime field

and storing into tls the self-signed certificate the GUI will show the certificate info for this URL.

Going into the CLI and deleting the key and certificate:

su admin
config
no system aaa tls config certificate
no system aaa tls config key
commit

removes the ecdsa certificate and key and http-server is restarted with the default created rsa key and certificate.

However, the GUI still has the deleted certificate and continues to use it despite doing a refresh or attempting to log in from another browser window.

Looking at what happens under the covers, it shows that the ecdsa key and certfiicate are deleted and that httpd was restarted (all have new PID's).

The problem seems to happen with ecdsa curves only and might be explained by either of the following:

On linux operating systems, a file isn't completely deleted until the last referring program releases it.
The browser caches the certificate if it's type ecdsa and does not release that cache right away.

We notice that using the default rsa key and certificate seems to fail when the ecdsa is deleted, but after a 60 second timeout, the http-server recovers and everything seems back to normal. I could take a couple timeouts, meaning that two minutes must go by.

Conditions:
After selecting an ECDSA key type (for curve type prime256v1 or secp384r1) and connecting successfully, the key and certificate are deleted from ConfD, resulting in having the http-server use a default created RSA key and certificate.

Impact:
This can be a bit concerning, in that one expects the certificate to be replaced immediately once the key and certificate are removed. From an operational perspective, the flow does not seem to be affected as the webUI continues to work. Eventually the certificate type will no longer be the ECDSA type, but this can take a few minutes, perhaps longer.

Workaround:
To hasten the fix, one can do: docker restart http-server, which usually fixes the issue right away, or a reboot will also accomplish this.

1256893 : Add more password policy configuration parameters

Component: F5OS-A

Symptoms:
F5OS lacked additional fine-grained password policies required by some security policies.

Conditions:
A security policy might require a user to restrict repeating sequences of special characters such as !@#$%.

Impact:
Users could not prohibit other users from setting certain patterns of repeating characters in passwords.

Workaround:
N/A

Fix:
Users can now configure max-letter-repeat, max-sequence-repeat and max-class-repeat for F5OS password policies.

1256437 : Interface with a default route with gateway is NOT available

Links to More Info: BT1256437

Component: F5OS-A

Symptoms:
Without default interface, k3s will fail to come up.

Symptoms: Interface with a default route with gateway is NOT available.

Conditions:
Without default interface, k3s will fail to come up.

Delete the file - /etc/NetworkManager/system-connections/default-intf
and Reboot

Impact:
K3s will be down.

Workaround:
rm -f /etc/NetworkManager/system-connections/default-intf
and reboot

Fix:
Delete the file - /etc/NetworkManager/system-connections/default-intf
and reboot.

1256425 : Expiration for a user account should be updated using expiry-status command

Component: F5OS-A

Symptoms:
Expiration for a user account is declared using expiry-date with -1/1/string <YYYY-MM-DD> where -1 and 1 are not readable.

Conditions:
Creating user account with some expiry date.

Impact:
Value given to expiry-date which is -1/1 is not readable.

Workaround:
Introduced another command 'expiry-status' to mention the expiration for a user account, which takes values as enabled/locked/string <YYYY-MM-DD>.

Enabled is equivalent to -1.
Locked is equivalent to 1.
String takes the date pattern.

Fix:
Expiration for any user account should be declared using expiry-status command, which takes values enabled/locked/string <YYYY-MM-DD>.

1253713 : CVE-2020-15999 freetype: Heap-based buffer overflow due to integer truncation in Load_SBit_Png

Links to More Info: K000133070, BT1253713

1252445 : QKView is collecting iptable dump only for filter table but not for raw, mangle, and nat

Links to More Info: BT1252445

Component: F5OS-A

Symptoms:
When QKView is collected on F5OS, it is displaying data for only filter table but not for nat/mangle/raw in container network.

Conditions:
Collect QKView on F5OS using system diagnostics QKView capture.

Impact:
No impact; iptable dump for filter table is already present.

Workaround:
N/A

Fix:
Updated QKView file to include required iptable commands.

1252377 : VXLAN-GPE and GENEVE are disabled by default when software is upgraded from F5OS-A 1.3.0 build to F5OS-A 1.4.0★

Links to More Info: BT1252377

Component: F5OS-A

Symptoms:
When r10000 or r5000 Series hardware is running with F5OS-A 1.3.0, the default settings for VXLAN-GPE and GENEVE are enabled, and hardware disaggregation support for these tunnel protocols is enabled without any explicit configuration.

If the software is upgraded from F5OS-A 1.3.0 to F5OS-A 1.4.0, these protocols will be disabled, and hardware disaggregation is disabled. It is required to enable these two protocols explicitly in the configuration to enabled them in the hardware.

Conditions:
If VXLAN-GPE and GENEVE tunnels are used in the deployment with F5OS-A 1.3.0 software version without any explicit enabled configuration for these two tunnels, and software upgraded to F5OS-A 1.4.0 or later.

Impact:
Hardware disaggregation support for VXLAN-GPE and GENEVE will be disabled if software is upgraded from F5OS-A 1.3.0 to F5OS-A 1.4.0 or later when these two tunnels are using default configuration to enable them.

Workaround:
Use explicit tunnel settings to enable VXLAN-GPE and GENEVE in F5OS-A 1.3.0, or enable these two protocols explicitly after software upgrade from F5OS-A 1.3.0.

Fix:
VXLAN-GPE and GENEVE are disabled in default global configuration and advised to use explicit tunnel configuration settings to enable hardware disaggregation support.

1251129 : Flannel network needs to be in cluster CIDR

Links to More Info: BT1251129

Component: F5OS-A

Symptoms:
By default, flannel uses CIDR 10.244.0.0/16, which was left unmodified. As a result, traffic arriving at the management interface from IP addresses in this network range may not match "allowed-ip" rules as expected.

Conditions:
Any traffic coming in from a source IP range of 10.244.0.0/16 is masqueraded in F5OS-A.

Impact:
System "allowed-ip" rules do not function as expected when the source IP address is within 10.244.0.0/16.

Workaround:
None

Fix:
Fixed in F5OS-A 1.6.0.

1249873 : sPVA hardware offload not working correctly on r10k

Links to More Info: BT1249873

Component: F5OS-A

Symptoms:
The DOS attack traffic is distributed unevenly on different TMMs, and some DOS attack traffic is not handed off to hardware due to a misconfigured DOS group.

Conditions:
Any DOS vector traffic going through the r10k device

Impact:
Reduced performance for DOS attack and hardware offload is not active.

Workaround:
No workaround exists for older F5OS releases. Need to upgrade to any latest F5OS version from F5OS-A 1.6.0 or later.

Fix:
Implemented per ATSE DOS group support in F5OS that enables DOS group configuration at individual hardware offload engines.

1249773 : QKView may fail to collect all files for platform-monitor container

Links to More Info: BT1249773

Component: F5OS-A

Symptoms:
Very occasionally, QKView view will have a conflict collecting round-robin database (RRD) files in the platform monitor container. The qkview-collect routine may terminate unexpectedly as a result.

Conditions:
QKView capture request happens coincidentally to round-robin database update.

Impact:
RRD files may not be collected.

Workaround:
Rerun QKView.

Fix:
This will be fixed in a future release.

1240749 : F5OS systems send incomplete DDoS stats response to the tenants

Links to More Info: BT1240749

Component: F5OS-A

Symptoms:
BIG-IP tenants on F5OS systems receive incomplete/corrupted DDOS stats response, which leads to TMM crash.

Conditions:
Undetermined circumstances on a BIG-IP tenant with AFM provisioning.

Impact:
TMM crashes on the tenant, which affects application traffic. Traffic disrupted while TMM restarts.

Workaround:
None

1240565-3 : Not allowing special characters "/*!<>^,/" in SNMP community/user/target name

Links to More Info: BT1240565

Component: F5OS-A

Symptoms:
Currently, we are allowing all characters to configure SNMP community/target/user. Because of that someone can use this configuration to inject script and system can be compromised.

Conditions:
Try to configure SNMP community/target/user with below command:

r10900-1(config)# system snmp communities community <script>alert(1)</script config security-model v2c
r10900-1(config-community-<script>alert(1)</script)# commit
Commit complete.
r10900-1(config-community-<script>alert(1)</script)#
r10900-1# show running-config system snmp
system snmp engine-id config value mac
system snmp communities community <script>alert(1)</script
config security-model [ v2c ]

Impact:
We are allowing all characters to configure SNMP community/target/user. Because of that someone can use this configuration to inject script and system can be compromised.

Workaround:
N/A

Fix:
We are restricting special characters /*!<>^,/ (identified as invalid input) as SNMP community/target/user name configuration.

Note: Upgrade will fail if user already has SNMP configuration with restricting special characters /*!<>^,/

1239293 : Observing repeated logs of "Found correct SSH key in authorized_keys" in /var/log/appliance.log

Links to More Info: BT1239293

Component: F5OS-A

Symptoms:
Seen repeated logs of "Found correct SSH key in authorized_keys" every 20 seconds in /var/log/appliance.log.

Conditions:
These logs are seen every 20 seconds from the time of system startup.

Impact:
These are just informational logs. There is no impact to the system.

Workaround:
N/A

Fix:
Logs are no longer getting flooded with this message.

1239273 : F5OS returns http server version in http header response

Links to More Info: BT1239273

Component: F5OS-A

Symptoms:
F5OS is returning the internal http server version and type in http header response.

Conditions:
Always.

Impact:
The http response header from F5OS contains the http server version and type which would be detected in security scans.

Workaround:
No workaround.

Fix:
Suppressed http server verion from F5OS header response.

1235161 : Modification of STP path cost with value 0 on appliance/chassis does not work as expected

Links to More Info: BT1235161

Component: F5OS-A

Symptoms:
User is allowed to set path cost as 0 but it does participate in port role selection.
> Port role is dependent on path cost; port with lesser path cost becomes root.
> In the current issue, though port has a lesser value of path cost (0), it is not becoming root.

Conditions:
STP is enabled on F5OS enabled platforms and
> Path cost of any of the interface is set to some number
> One of the interface has default value or value 0.

Impact:
Interface with path-cost as 0 does not become root or it does not restrict user to set path cost value as 0.

Workaround:
Don not keep path-cost value as 0.

Fix:
> Default value of path-cost is modified to 1.
> Range of the path-cost is updated, it starts from 1 instead of 0.

1232965 : The set-password action now reports a 'success' message

Component: F5OS-A

Symptoms:
When a user sets a password via the set-password action, no response is returned when the operation is successful.

Conditions:
A user sets a password via the CLI or REST API.

Impact:
It is unclear if the operation is successful so a user may try to 'commit' the changes or retry the command.

Workaround:
N/A

Fix:
F5OS now reports a 'success' message when a password is set to indicate no further action must be taken.

1231609 : exclude-cores "true" option still includes the core files in webUI/CLI

Links to More Info: BT1231609

Component: F5OS-A

Symptoms:
Collecting a QKView with "exclude-cores true" results in a QKView that still has core files in it.

Conditions:
If QKView is collected with "exclude core true" option.

Impact:
Core files are not excluded part of QKView file.

Workaround:
There is no workaround as cores files always included with any option.

Fix:
As "exclude-core" is a boolean type, modified the qkview.sh scripts to pass actual value as user entered.

1230637 : Password quality checker returns more informative results

Component: F5OS-A

Symptoms:
When you attempt to set a new password or change an existing one and the password does not meet the configured password policy, F5OS does not always indicate why the chosen password was insufficient.

Conditions:
You set a new password or try to change an existing password.

Impact:
Depending on the configured password complexity requirements, you may have to try several different password combinations to successfully set a new password.

Workaround:
Continue entering more complex passwords.

Fix:
F5OS now returns more informative error messages indicating why the password does not meet the configured password policy requirements.

1230209 : F5OS-A : Retain more old copies of PEL logs in /var/log/platform/

Component: F5OS-A

Symptoms:
Old PEL logs are not getting retained because the size of the log file is 1 MB.

Conditions:
None

Impact:
Old PEL logs not retained.

Workaround:
N/A

Fix:
Increased the size of the log file to store more logs.

1229465-2 : QKView is not collecting core files in /var/crash

Component: F5OS-A

Symptoms:
QKView was designed to collect core files in /var/core only. The operating system kernel can create core files in /var/crash. SEs need to know about these files.

Conditions:
OS kernel creates a core file.

Impact:
Core file not collected by QKView.

Workaround:
Core file can be manually copied from /var/crash.

Fix:
QKView takes a directory listing from /var/crash and collects core files in that directory.

1229449 : Username is not logged on rSeries appliance when webUI authentication fails

Links to More Info: BT1229449

Component: F5OS-A

Symptoms:
When a user tries to log in via webUI and provides the wrong credentials, the username is not getting logged.

Conditions:
When a user tries to log in via webUI and provides the wrong credentials.

Impact:
Unable to see the user name for whom authentication has failed.

Fix:
N/A

1225989 : TACACS users only able to access CLI, not webUI

Links to More Info: BT1225989

Component: F5OS-A

Symptoms:
A TACACS user with either admin or operator privilege is unable to log onto the webUI, but can get access through the CLI. This was found to be due to an internal file linking error.

Conditions:
Have a correctly configured TACACS authenticated user access the webUI.

Impact:
The login will not be successful, and an "Authentication failed" message will be displayed. The webUI will be inaccessible.

Workaround:
N/A

Fix:
The file link issue has been resolved, and the problem no longer exists.

1225701 : Filenames with special characters in /var/import/staging cause upgrade to fail

Links to More Info: BT1225701

Component: F5OS-A

Symptoms:
Coping images with special characters in the filename to /var/import/staging causes the sw-mgmt service to exit. The system is unable to change versions.

Conditions:
Copy or import an image with special characters in the filename to /var/import/staging. Then, try to upgrade.

Impact:
sw-mgmt service is exiting, and the system will not upgrade.

Workaround:
Remove the image the special characters using the commands below in a bash prompt:
chattr -i /var/import/staging/<iso with special characters>
rm -rf /var/import/staging/<iso with special characters>

Then, restart sw-mgmt.service:
systemctl restart sw-mgmt.service

Fix:
We have modified sw-mgmt to remove any images containing special characters.

1220553 : TCPDUMP service printed debug logs when adding or removing an interface

Links to More Info: BT1220553

Component: F5OS-A

Symptoms:
The TCPDUMP service will log debug level log message to the system log when the logging severity is not set to debug.

Conditions:
A user adds or removes a VLAN from an interface.

Impact:
No functional impact.

Workaround:
N/A

Fix:
The TCPDUMP service no longer logs debug level messages to the system log when a user adds or removes a VLAN from an interface.

1217169 : Disk full: Latest ISO is not getting imported★

Links to More Info: BT1217169

Component: F5OS-A

Symptoms:
Not able to import images because /var/export/chassis LVM goes to read-only mode when the memory usage of this LVM is reached by more than 50%.

This LVM is created as VDO (virtual data optimizer) volume, twice the size of the physical partition size, so 50% of the LVM size is equal to 100% of the size of the underlying physical device (partition), on which this LVM is being created.

When the LVM usage reaches more than 50% of LVM size, the LVM metadata is corrupted, causing this issue.

Conditions:
The issue is seen when usage of the LVM /var/export/chassis reaches around 50% by importing more than 12 F5OS-A images on an rSeries low device.

Impact:
Not able to import images once the LVM /var/export/chassis goes to read-only mode.

Workaround:
The workaround is to deport older images from /var/export/chassis/import/iso/ using command below before importing/copying new images.

appliance-1(config)# system image remove iso <old/unused iso version>

or

If it is not possible to delete the images using above command
please follow below steps.

chattr -i /var/import/stagging/<old/unused iso>
rm -rf /var/import/stagging/<old/unused iso>

In case the issue is seen (/var/import/stagging/ becomes read only) the only way to recover the system is perform either pxeboot or usb install on the system.

1216097 : LACP state flapped repeatedly during the upgrade

Links to More Info: BT1216097

Component: F5OS-A

Symptoms:
LACPD status flapped during upgrade.
It is triggered by a transition in lacpd state machine, but no way to concretely tell why with current data in QKView.
Mux machine is triggering multiple transitions with delays in due ZMQ poll errors and multiple restarts during upgrades.

Conditions:
1) clean install with F5OS-A 1.2.0,
2) configure the LACP
3) Live upgraded to F5OS-A 1.3.0.
LACP state flapped for 2 min during the upgrade to F5OS-A 1.3.0. This involved repeated reboots due to bios/firmware upgrade.

Impact:
LACP recovered after repeated flapping.

Workaround:
The scope of this bug is to review lacpd implementation and fix/improve if there are any potential areas that can lead to the observed issue at the peer. Hence, improved the logging from lacpd for a better understanding of the system at run time.

Fix:
Improved the logging from lacpd for a better understanding of the system at run time.

1215637 : The "show cluster install-status" CLI command is updated to reflect actual cluster bring-up status★

Component: F5OS-A

Symptoms:
Tenant deployment was failing even after "K3SClusterInstall" stage is moved to "Done", in the "show cluster install-status" CLI output.

Conditions:
The issue is seen when a tenant is set to deploy immediately after "K3SClusterInstall" stage is moved to Done state, in "SHow cluster install-status" CLI.

Impact:
Tenants can be deployed once "clusterDeployment" stage is moved to "Done."

Workaround:
Tenants can be deployed once "clusterDeployment" stage is moved to "Done."

Fix:
The "show cluster install-status" CLI command is updated to reflect actual cluster bring-up status.

1213185 : ISO file not copied during clean install from USB DVD/CD-ROM device★

Links to More Info: BT1213185

Component: F5OS-A

Symptoms:
ISO file is not copied over to /var/import/staging during a clean install with DVD devices.

Conditions:
Clean install with DVD devices.

Impact:
ISO file not copied to /var/import/staging and importing any other image will cause problems with further upgrades or downgrades.

Workaround:
Explicitly copy the ISO file which ever used for clean installation to the device to the location /var/import/staging.

1211853-4 : Hardware offload features may affect packets destined for unrelated tenants

Component: F5OS-A

Symptoms:
When a tenant requests that hardware assist be enabled for an L4 connection, syn cookie protection, DDoS protection, or allowlist/denylist, it is possible that packets destined for other tenants on the same VLAN will be affected by the hardware assist entry.

Conditions:
Hardware assist must have been activated for a specific flow or DDoS profile, and packets must be present for unrelated tenants that are on the same VLAN and contain the same IP destination and/or IP source address as the hardware assist activation.

Impact:
Packets destined for unrelated tenants may receive unexpected handling as a result of hardware assist matching those packets. For example, packets for an unrelated tenant on the same VLAN might be unexpectedly dropped if they have the same IP destination address as the activated DDoS hardware assist.

Workaround:
Ensure that tenants all use unique VLANs or that tenants that share a VLAN use unique IP source/destination addresses for their traffic.

1211673 : Default tenant disk size is based on tenant image type

Links to More Info: BT1211673

Component: F5OS-A

Symptoms:
There is no impact on functionality.
Previously, default tenant disk size was 77GB regardless of image type.

After the fix:

T1 type image - 22GB
T2 type - 45GB
T4 - 142GB
ALL - 82GB

Based on image type, default storage size will be used.

Conditions:
Tenants are created with default disk size of 77Gb although their image size is different.

Fix: create tenant disk based on image type.

Impact:
No functionality impact

Workaround:
No Functionality impact.

Fix:
No Functionality impact.

1210577-1 : Supportability: the confd_cmd utility is now included in the system controller container

Links to More Info: BT1210577

Component: F5OS-A

Symptoms:
Occasionally F5 Support might ask for confd_cmd commands to be run. This fix makes the confd_cmd utility easier to access.

Conditions:
Running F5OS. A request from F5 Support to run confd_cmd.

Impact:
It is difficult to run confd_cmd commands for troubleshooting purposes.

Fix:
The confd_cmd utility is now included in the system controller container.

1209077-1 : Unable to remove unused ISOs or services if used by openshift

Links to More Info: BT1209077

Component: F5OS-A

Symptoms:
Even if an imported version of a controller service says it is not in use in ConfD, it is possible under certain conditions for Openshift to still depend on that version of services. In such cases, it will not be possible to remove that version of services until Openshift is re-installed.

Conditions:
Openshift was rebuilt on a version of the controller OS earlier than 1.5.0, and user attempts to remove services that openshift relies on after rebuild.

Impact:
Unable to remove some ISOs and services that indicate they are unused.

Workaround:
Rebuild openshift cluster.

Fix:
Added more informative removal messages for case where removal is blocked due to openshift usage.

1208573-1 : Disabling Basic Authentication does not block the RESTCONF GET requests

Links to More Info: BT1208573

Component: F5OS-A

Symptoms:
When basic authentication is disabled by user, RESTCONF GET requests are not getting blocked.

Conditions:
User disables basic authentication. RESTCONF GET requests never get blocked.

Impact:
No effect on configuration. Some of the APIs data will be displayed in RESTCONF GET requests, even when basic authentication is disabled.

Workaround:
N/A

Fix:
The GET operation for the APIs has been blocked when basic authentication is disabled.

1207189-2 : CVE-2022-38178 in bind-license-32:9.11.4-26.P2.el7_9.7

Links to More Info: K000137229, BT1207189

1207185-3 : CVE-2022-38178 in bind-export-libs-32:9.11.4-26.P2.el7_9.7

Links to More Info: K000137229, BT1207185

1207181-3 : CVE-2022-38177 in bind-license-32:9.11.4-26.P2.el7_9.7

Links to More Info: K27155546, BT1207181

1205409-1 : Cannot export or download files from diags/shared/tcpdump path

Links to More Info: BT1205409

Component: F5OS-A

Symptoms:
The diags/shared/tcpdump path gives access to the tcpdump files captured for system diagnostics. However, these files could not be downloaded from the webUI to the local system.

Conditions:
- User generates a tcpdump file for system diagnostics
- User navigates to the diags/shared/tcpdump path in the webUI and tries to download file, resulting in an error

Impact:
Unable to download tcpdump files from diags/shared/tcpdump path in the webUI. Hence, a user cannot access these files from the webUI.

Workaround:
Create /var/docker/config/platform.override.yml with these contents:

version: '2.1'
services:
  http-server:
    volumes:
      - /var/F5/system/shared/tcpdump:/var/shared/tcpdump

Then, restart platform-services.

Fix:
User is now able to download and export files from diags/shared/tcpdump path to any required destination without any errors.

1205345 : RADIUS remote authentication uses internal system IP address as system identifier in requests

Links to More Info: BT1205345

Component: F5OS-A

Symptoms:
When configured for RADIUS remote authentication, the F5OS systems send internal system IP address as Network Access Server (NAS) system identifier (NAS-IP-Address or NAS-IPv6-Address), rather than a system management IP.

On VELOS systems, the NAS-IPv6-Address will be a link-local IPv6 address in fe80::/64.

On rSeries appliances, the NAS-IP-Address will be an address in the internal address range (RFC6598 by default), e.g. 100.65.60.2.

Conditions:
RADIUS remote authentication for system users.

Impact:
RADIUS authentication servers may ignore or reject authentication requests due to an unknown system identifier in the requests.

Workaround:
None.

1204433 : "Appliance-mode" flag in license should not be used to enable appliance-mode

Links to More Info: BT1204433

Component: F5OS-A

Symptoms:
Appliance-mode enabled using license will not get reflected in "show tenants" CLI.

Conditions:
The issue is seen when "appliance-mode" is enabled through license.

Impact:
Appliance-mode enabled using license will not get reflected in "show tenants" CLI.

Workaround:
Appliance-mode can be configured from CLI.

Fix:
Appliance-mode can be configured from CLI.

1196017-1 : Kube-flannel stuck in ImagePullBackOff status due to wrong port or tag

Links to More Info: BT1196017

Component: F5OS-A

Symptoms:
On the rSeries appliance, the tenant deployment fails as the kube-flannel is stuck in ImagePullBackOff status due to the wrong port or tag.

Conditions:
The exact conditions are unclear but it is observed after the upgrade from F5OS-A 1.1.1.

Impact:
Tenant deployment fails.

Workaround:
1) Check the expected registry port for the current running image.
Example:
On an appliance running with F5OS-A 1.4.0 registry port found as 2004 (I could change on other devices)
[root@appliance-1 ~]# ls -l /var/docker/config/platform.yml
lrwxrwxrwx. 1 root root 52 Feb 13 13:11 /var/docker/config/platform.yml -> /var/docker/config/appliance/1.4.0-7488/platform.yml
[root@appliance-1 ~]#
[root@appliance-1 ~]# mount | grep "1.4.0" | grep "registry"
/var/export/chassis/import/.mounts/services/R5R10/1.4.0-7488/volume.img on /var/export/chassis/import/.volumes/appliance-services-registry-2004-volume type squashfs (ro,relatime,context=system_u:object_r:container_file_t:s0)


2) Check the expected flannel tag under the identified registry port
Example:
[root@appliance-1 ~]# crictl images | grep flannel | grep 2004
localhost:2004/appliance-flannel 0.13.1 0a69e5ee8f6ef 20.7MB
[root@appliance-1 ~]#


3) Check the kube-flannel port under the DaemonSet in /tmp/omd/scripts/kube-flannel.yml
Example:
[root@appliance-1 ~]# grep -i "image:" /tmp/omd/scripts/kube-flannel.yml
        image: localhost:2004/appliance-flannel:0.13.1
        image: localhost:2004/appliance-flannel:0.13.1
[root@appliance-1 ~]#
[root@appliance-1 ~]# kubectl get ds -A
NAMESPACE NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
kube-system kube-flannel-ds 1 1 1 1 1 <none> 40d
kube-system klipper-lb 1 1 1 1 1 <none> 40d
kube-system kube-multus-ds-amd64 1 1 1 1 1 kubernetes.io/arch=amd64 40d
kubevirt virt-handler 1 1 1 1 1 kubernetes.io/os=linux 40d
[root@appliance-1 ~]#
[root@appliance-1 ~]# kubectl describe ds kube-flannel-ds -n kube-system | grep -i "image"
    Image: localhost:2004/appliance-flannel:0.13.1
    Image: localhost:2004/appliance-flannel:0.13.1
[root@appliance-1 ~]#


4) Edit the DaemonSet of kube-flannel and correct the registry port or tag as applicable
Example:
# kubectl edit ds kube-flannel-ds -n kube-system

5) After editing the port or tag on the flannel DaemonSet, reboot the system and check whether the pod is starting or not.

1196005-1 : K3S pods version is shown incorrect★

Links to More Info: BT1196005

Component: F5OS-A

Symptoms:
In rSeries r4000 and r2000 devices with v1.1.1, all K3S services have an incorrect tag (string 'message') instead of the actual number, due to an unknown issue with the docker registry at that time.

Conditions:
Live upgrade.

Impact:
Tenant deployment fails.

Workaround:
Live upgrade to the release after 1.2.0.

Fix:
No fix yet.

1194885 : CVE-2022-37434 zlib: heap-based buffer over-read and overflow in inflate() in inflate.c via a large gzip header extra field

Links to More Info: K67213091

1190321 : F5OS - "system config hostname" change not reflected in SNMP MIB

Links to More Info: BT1190321

Component: F5OS-A

Symptoms:
Configure hostname using CLI:

appliance-1(config)# system config hostname <name>
appliance-1(config)# commit
Commit complete.

Check system name in SNMPv2-MIB:

appliance-1# show running-config SNMPv2-MIB system sysName
SNMPv2-MIB system sysName appliance-1.chassis.local

Hostname configuration is not reflecting to SNMPv2-MIB.

Conditions:
Configure hostname using CLI:

appliance-1(config)# system config hostname <name>
appliance-1(config)# commit
Commit complete.

Check system name in SNMPv2-MIB:

appliance-1# show running-config SNMPv2-MIB system sysName
SNMPv2-MIB system sysName appliance-1.chassis.local

Hostname configuration is not reflecting to SNMPv2-MIB.

Impact:
Configured hostname will not be synced in SNMPv2-MIB.

Workaround:
Configure same hostname for SNMPv2-MIB:

appliance-1(config)# SNMPv2-MIB system sysName f5-stsu-kzps
appliance-1(config)# commit
Commit complete.
appliance-1# show running-config SNMPv2-MIB system sysName
SNMPv2-MIB system sysName f5-stsu-kzps

Fix:
Hostname synced with SNMPv2-MIB sysName.

1189057-2 : LACPD fails to read system-priority at container starting time

Component: F5OS-A

Symptoms:
Error logs occur when LACPD starts.

Conditions:
Occurs every time LACPD starts up.

Impact:
User is not able to configure system-priority and the system-priority remains with the default value.

Workaround:
N/A

Fix:
LACPD is now able to read system-priority properly. User is able to configure system-priority and see the field in the CLI.

1188993 : BIND vulnerability CVE-2022-38177,CVE-2022-38178

Links to More Info: K000137229, BT1188993

1188921 : tcpdump not working after upgrade

Links to More Info: BT1188921

Component: F5OS-A

Symptoms:
tcpdump fails with CLI error:
errbuf ERROR:DMAA error, packets cannot be captured
tcpdump: pcap_loop: DMAA error, packets cannot be captured

Error logged:
appliance-1 tcpdumpd-manager[8]: priority="Crit" version=1.0 msgid=0x5406000000000029 msg="DMAA socket failed:" comp="connect" errno=2.

Conditions:
System upgrade has failed to properly update the configuration file, which is responsible for starting tcpdumpd_manager.

Impact:
tcpdumpd_manager will not be able to start and packets cannot be captured. tcpdumpd_manager will continue log this failure to the system log.

Workaround:
None

Fix:
Improved tcpdumpd_manager start-up routine to check for line-dma-agent socket availability.

1188877 : Kubernetes Cluster Reinstall provision extended from VELOS to rSeries

Component: F5OS-A

Symptoms:
In some cases, it is necessary to reinstall the K3S cluster on the appliances. On VELOS, there is a easy way to reinstall the Kubernetes cluster by creating the flag "touch /var/omd/CLUSTER_REINSTALL". Starting with the F50S-A 1.6.0 release, we extended this provision to rSeries appliances.

Conditions:
It is recommended to reinstall the cluster as the last measure if there are any issues with tenant deployment/running.

Impact:
Existing tenants will be moved back to a Configured state and traffic will be interrupted.

New tenants won't get deployed until the cluster is installed properly.

Workaround:
The cluster reinstall feature is usually the mitigation/workaround.

Fix:
To initiate cluster reinstall, do:
touch /var/omd/CLUSTER_REINSTALL (needs root access)

1188105 : K3SClusterUpgrade status shown as Done before cluster pods running up on appliance

Component: F5OS-A

Symptoms:
When an appliance upgrades the k3s (Lite Weight Kubernetes) to newer version, the K3S Cluster Upgrade status goes to Done state before bringing cluster pods up and running.

Conditions:
When Upgrade of K3S cluster gets triggered, the cluster upgrade status gets updated in ConfD before bringing cluster pods up.

Impact:
No functional impact. But the information published can be misleading.

Workaround:
With K3sClusterupdate status also checks for the cluster pods status to see if the cluster came up properly.

Fix:
Also check cluster pods status.

1188057 : Inactivity-timeout for Console

Component: F5OS-A

Symptoms:
Console session is not expiring after certain time.

Conditions:
Log into system using console.
This console session will remain active for a long time.

Impact:
Log into system using console.
This console session will remain active for a long time.

Workaround:
N/A

Fix:
We have introduced timeout API for console and ssh connection timeout. If a session is active longer than its configured timeout value and has had no interactions, then that session will be automatically terminated.

appliance-1(config)# system settings config sshd-idle-timeout 40
appliance-1(config)# commit
Commit complete.
appliance-1# show system settings state
system settings state sshd-idle-timeout 40

1186597 : K3S install status in f5OS ConfD is improved

Links to More Info: BT1186597

Component: F5OS-A

Symptoms:
K3S install status is not showing the actual cluster install status.

Conditions:
The issue is seen during Cluster deployment.

Impact:
Actual K3S install status is not reflected in "show cluster install-status" CLI.

Workaround:
"kubectl get pods -A" can be used to check the pod status.

Fix:
"show cluster install-status" is updated to select the cluster deployment status.

1185741 : API access and webUI login fails if password contains a semicolon (;)

Links to More Info: BT1185741

Component: F5OS-A

Symptoms:
Authentication fails when the password contains a semicolon.

Conditions:
A user creates a password that contains a semicolon.

Impact:
User unable to authenticate.

Workaround:
The issue is fixed in the 1.7.0 release. Users with prior releases can log in through the CLI and change the password.

Fix:
Passwords can contains semicolons in the 1.7.0 release.

1185701 : 'system aaa' command in ConfD to fail with "Error: application communication failure"

Links to More Info: BT1185701

Component: F5OS-A

Symptoms:
System fails to change password and renders system in a degraded state where user management no longer works.
System fails to provide proper user feedback to the user about failed password changes.

Conditions:
This policy option is causing the problem:
system aaa password-policy config retries 5

Impact:
F5OS user password cannot be changed.

Workaround:
Do not change the configuration from default.
system aaa password-policy config retries 5

Fix:
N/A

1184513 : F5OS audit log reports duration values in microseconds, using "ms" abbreviation

Links to More Info: BT1184513

Component: F5OS-A

Symptoms:
The F5OS audit log reports the duration of some calls that occur through RESTCONF. These duration values use an "ms" unit, which in this case stands for microseconds, not milliseconds.

For example:

<INFO> 23-Aug-2022::18:28:00.602 appliance-1 confd[106]: audit user: netsupport/7502531 RESTCONF: response with http: HTTP/1.1 /restconf/data//openconfig-system:system/f5-system-image:image/remove 400 duration 122160290 ms

This operation took ~122 seconds, not ~1.4 days.

Conditions:
Using the F5OS audit log.

Impact:
Difficult to interpret audit log.

Workaround:
Interpret the duration values as being in microseconds, not milliseconds.

1184441 : VXLAN-GPE and GENEVE tunnel support

Component: F5OS-A

Symptoms:
VXLAN-GPE and GENEVE tunnel support can cause host-generated UDP frames with destination ports matching system configured destination ports for VXLAN-GPE or GENEVE to be treated as VXLAN-GPE or GENEVE traffic even if the underlying frame is not VXLAN-GPE or GENEVE. Frames fitting this characteristic may have a bad UDP checksum forced onto the frame if frame fails basic VXLAN-GPE or GENEVE protocol checks.

Conditions:
Administrator configures VXLAN-GPE and/or GENEVE tunnel support.

Impact:
Minimal.

Workaround:
Tunnels are disable by default. This issue is only observed if tunnels are enabled.

Fix:
N/A

1184429-3 : Specifying "operation not supported" as an iHealth QKView description or SR number will disable iHealth uploading

Links to More Info: BT1184429

Component: F5OS-A

Symptoms:
The phrase "operation not supported" was scanned for communication with iHealth to indicate an error. By using this as a description or as an SR case, this will trigger an error, preventing the ability to upload to iHealth.

Conditions:
The phrase "operation not supported" is used as an iHealth QKView description or SR number.

Impact:
Unable to upload iHealth through the iHealth upload service on the device.

Workaround:
Do not use the phrase "operation not supported" as a description or an SR case number when uploading to iHealth.

Fix:
Fix to check for errors will scan for http error code instead of scanning the text of the http body.

1183909 : Python urllib3 vulnerabilities CVE-2018-20060, CVE-2019-11236, CVE-2019-11324, CVE-2018-18074

Links to More Info: K000133448, BT1183909

1182605-1 : Boot marker logs do not provide enough information

Links to More Info: BT1182605

Component: F5OS-A

Symptoms:
Boot marker logs should provide version and product information in the log.

Conditions:
After a reboot.

Impact:
It can be difficult to determine which version of VELOS a system was booting into.

Fix:
The boot marker logs were updated to show product and OS version information.

1181929 : F5OS install may partially fail, leaving system with mismatched OS and services★

Links to More Info: BT1181929

Component: F5OS-A

Symptoms:
After an attempted upgrade, administrators are unable to access the system via management UI, or log into the system as any user other than "root".

A message such as the following in the platform log:
priority=Fatal msgid=0x3501000000000021 msg=OStree rebase to version 1.2.0-10139 failed.

Conditions:
The first part of an F5OS software upgrade fails, but the system continues on and performs subsequent steps of the upgrade.

Impact:
The system may be completely inoperative, or the system may be running with different OS and services versions, which could lead to unknown problems.

Workaround:
If this issue occurs, contact F5 Support for assistance.

1167477 : CVE-2021-20233: grub2 - Heap out-of-bounds write due to miscalculation of space required for quoting

Component: F5OS-A

Symptoms:
A flaw was found in grub2 in versions prior to 2.06. The option parser allows a user to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
Grub2 has been updated to a non-vulnerable version.

1167153 : CVE-2022-1271 gzip: arbitrary-file-write vulnerability

Links to More Info: K000130546

1166197 : CVE-2021-20233 grub2: Heap out-of-bounds write due to miscalculation of space required for quoting

Component: F5OS-A

Symptoms:
A flaw was found in grub2 in versions prior to 2.06. Setparam_prefix() in the menu rendering code performs a length calculation on the assumption that expressing a quoted single quote will require 3 characters, while it actually requires 4 characters which allows an attacker to corrupt memory by one byte for each quote in the input. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
Grub2 has been upgraded to a non-vulnerable version.

1166169 : CVE-2021-25217 dhcp: stack-based buffer overflow when parsing statements with colon-separated hex digits in config or lease files in dhcpd and dhclient

Links to More Info: K08832573

1166157 : CVE-2021-20277 samba: Out of bounds read in AD DC LDAP server

Links to More Info: K48527562

1166153 : CVE-2021-20225 grub2: Heap out-of-bounds write in short form option parser

Component: F5OS-A

Symptoms:
A flaw was found in grub2 in versions prior to 2.06. The option parser allows a user to write past the end of a heap-allocated buffer by calling certain commands with a large number of specific short forms of options. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Conditions:
N/A

Impact:
N/A

Workaround:
N/A

Fix:
Grub2 has been updated to a non-vulnerable version.

1166149 : CVE-2021-27803 wpa_supplicant: Use-after-free in P2P provision discovery

Links to More Info: K000135433, BT1166149

1166145 : CVE-2021-4034 polkit: Local privilege escalation in pkexec due to incorrect handling of argument vector

Links to More Info: K46015513

1166061 : Docker logs may not be collected by QKView if container has failed

Links to More Info: BT1166061

Component: F5OS-A

Symptoms:
QKView collects diagnostics from containers on a VELOS system, but sometimes the container may be in an error state where QKView may be unable to interact. It would be useful to collect the Docker logs for failed containers, if available. Prior to this fix, Docker logs for a failed container would not be collected.

Conditions:
QKView is run, while a container is in a failed state.

Impact:
Docker logs will not be collected for failed containers.

Workaround:
Manually perform the command "docker logs <container-name>" for the failed container.

Fix:
Docker logs for containers will be collected by QKView regardless of the container state.

1165965 : CVE-2022-38177 bind: memory leak in ECDSA DNSSEC verification code

Links to More Info: K27155546

1165961 : CVE-2022-38178 bind: memory leaks in EdDSA DNSSEC verification code

Links to More Info: K000137229

1156113 : Appliance OMD repeatedly logs an obtuse error message every 10 seconds

Links to More Info: BT1156113

Component: F5OS-A

Symptoms:
When tenants fail to deploy/start for any reason, Appliance OMD would periodically log an obtuse error message every 10 seconds.

Appliance OMD is allowing and error message to be logged while the data is partially populated.

Conditions:
This issue is observed when tenants fail to deploy/start for any reason.

Impact:
Obtuse error logs are observed every 10 seconds.

Workaround:
Obtuse logging is fixed in the Appliance OMD to log the data only if the data is properly populated.

1156005 : system-host-config fails to handle order of DNS search path in /etc/resolv.conf

Links to More Info: BT1156005

Component: F5OS-A

Symptoms:
Ordering of DNS search path is not preserved in /etc/resolv.conf.
>Add DNS search path in order A B.
 Check /etc/resolve.conf => B A
>Now add DNS search path in order B A.
 Check /etc/resolve.conf => B A

Conditions:
On rSeries platforms, user wants to configure DNS search path in alphabetical order.

Impact:
DNS search path is not added in the same order in /etc/resolv.conf.

Workaround:
N/A

Fix:
Fix is added to handle ordering of DNS search path in /etc/resolv.conf file.

1155133 : File permission needed for "commit save-running" CLI command

Links to More Info: BT1155133

Component: F5OS-A

Symptoms:
When trying to use "commit save-running" CLI command, the execution fails with file permission. This works when the user gives an absolute file path such as /var/F5/system/configs.

Conditions:
This will happen when the user uses "commit save-running".

Impact:
User should provide an absolute path for the "commit save-running" CLI command.

Workaround:
Use and absolute path while performing "commit save-running".

Fix:
N/A

1154761 : Refactoring of L2 protocol error log

Links to More Info: BT1154761

Component: F5OS-A

Symptoms:
The error logs aren't quite intuitive to understand. When LLDP is enabled on the management interface (which does not support LLDP), unclear error logs are seen.

Conditions:
LLDP is enabled on management interface.
This log appears when the L2 service tries to send PDU and fails to get the dataplane destination ID of management interface.

Impact:
No functional impact.

Workaround:
N/A

Fix:
Error log has been modified.

1141609 : Error if RAPID_PVST is selected under STP protocol

Links to More Info: BT1141609

Component: F5OS-A

Symptoms:
RAPID_PVST protocol is not supported but we allow its configuration.
(config)# stp global config enabled-protocol RAPID_PVST
(config)# commit

Conditions:
None

Impact:
Configuration of RAPID_PVST is allowed, which is not supported.

Note: In case of live upgrade, STP with global protocol configured as RAPID_PVST will not work and you will need to either delete "stp global config enabled-protocol RAPID_PVST" or do a bare metal install before performing a live upgrade.

Workaround:
None

Fix:
Error if RAPID_PVST is configured.

(config)# stp global config enabled-protocol RAPID_PVST
(config)# commit
Aborted: 'stp global config enabled-protocol' (value "oc-stp-types:RAPID_PVST"): RAPID_PVST is not supported.

1141573-2 : ConfD management IP configuration command DHCP shows unusable extra options which might confuse user

Links to More Info: BT1141573

Component: F5OS-A

Symptoms:
ConfD management IP configuration command DHCP shows unusable extra options like IP address, gateway, and prefix.
User do not need to pass IP address, gateway, and prefix when configuring management IP with DHCP.

Conditions:
User is configuring management IP with DHCP and checking command argument after DHCP over CLI.

Impact:
A few extra unusable options exist after the DHCP command over CLI.

Workaround:
Do not pass any value on the arguments passed after DHCP.

Fix:
Added restrictions in the ConfD CLI command, which will not display extra options after DHCP over CLI.

1137121-4 : Tenants are stuck in Pending state with status 0/1 nodes available after upgrading to F5OS-A 1.2.0

Links to More Info: BT1137121

Component: F5OS-A

Symptoms:
The system is unable to start tenants, and the tenant reports a status of "Insufficient f5.com/qat".

Conditions:
Might occur after an F5OS-A software upgrade or after reinstalling K3s.

Impact:
Tenants will not start and are unusable.

Workaround:
To work around this issue, perform one of these actions:

1. Reboot the rSeries appliance.
or
2. Restart the qat-plugin process by logging into the appliance as root, and running "pkill qat-plugin".

Fix:
Fixed an issue with the qat-plugin process that prevented the system from starting tenants.

1136725 : An iptables CLI error

Links to More Info: BT1136725

Component: F5OS-A

Symptoms:
An iptables command error:
[root@appliance(appliance.chassis.local) ~]# iptables -L
Another app is currently holding the xtables lock. Perhaps you want to use the -w option?

Conditions:
When a parallel iptables query is happening, this error displays.

Impact:
The iptables can get disturbed.
User may not be able to view the iptables.

Workaround:
During iptables listing, it uses DNS and reverse DNS lookup if "-n" option is not used, which will make iptables hold the lock for longer durations.

Fix:
Added "-n" option in all places where iptables listing is happening.

1136597 : LDAP user with admin and operator role gets only operator permissions

Links to More Info: BT1136597

Component: F5OS-A

Symptoms:
An LDAP user configured with groups for both admin and operator roles only receives operator permissions.

Conditions:
LDAP user configured with gidNumber assignments for both admin and operator roles.

Impact:
A user with this config would be assigned only operator permissions.

Workaround:
Only configure the gidNumber for the desired role in LDAP for the user. Do not configure multiple roles for the same user.

Fix:
There was an error in the NACM rules for ConfD config. The role logic has been fixed.

1132605 : Copied ISO file does not have the immutable bit set after F5OS USB install

Links to More Info: BT1132605

Component: F5OS-A

Symptoms:
When performing a USB install, F5OS creates the ISO file used for installation under /var/import/staging. Under certain conditions, this newly created ISO file is missing the immutable bit, allowing the file to be potentially modified or deleted while it is in use.

Conditions:
Perform a USB install of F5OS.

Impact:
New ISO file is missing the immutable bit (should show up as an 'i' in the chattr output).

   [root@appliance-1 ~]# lsattr /var/import/staging/
   -------------e-- /var/import/staging/F5OS-A-1.1.0-7645.R5R10.iso

This results in risk of the ISO file being deleted or modified while in use.

Workaround:
If the imported ISO file is still present in /var/import/staging, set the immutable bit on it, for example:

    chattr +i /var/import/staging/R5R10.1.1.1-9159.iso

If the imported ISO file is missing, that is, because it was deleted or renamed:

1. Put a copy of the ISO file on the rSeries appliance named precisely the same as the original file was, for example:

    Copy the ISO file to the rSeries appliance, but name it "R5R10.1.1.1-9159.iso" and put it in /var/import/staging/

2. Set the immutable bit on the file:

    chattr +i /var/import/staging/R5R10.1.1.1-9159.iso

3. Reboot the device.

Fix:
N/A

1132569 : "cdb_exists failed" error logged in platform.log during boot up

Links to More Info: BT1132569

Component: F5OS-A

Symptoms:
This occurs unconditionally upon every reboot. It doesn't have any functional impact.

Conditions:
Upon every reboot.

Impact:
No impact.

Workaround:
N/A

Fix:
Boot or reboot the device and check platform.log. The issue should no longer occur.

1128877 : Mount command added to QKView collection

Links to More Info: BT1128877

Component: F5OS-A

Symptoms:
Mount command was not provided in QKView diagnostics file.

Conditions:
Always.

Impact:
Mount data is currently collected, but may be missing data provided by the mount command.

Workaround:
Run mount command on system and copy results from device.

Fix:
Mount command will be executed in QKView.

1126677-1 : Inconsistencies with time zones displayed in controller and log files

Links to More Info: BT1126677

Component: F5OS-A

Symptoms:
System logs on F5OS systems are logged in a mix of the user's configured time zone (when available: controller/appliance) and UTC, depending on which log file you look at.

Conditions:
If user has a time zone configured that is different from UTC, the logs may show different times for log messages.

Impact:
Troubleshooting and tracing issues can be difficult, as the time zones used in different logs do not match.

Workaround:
N/A

Fix:
Fixed all controller, partition, and blade docker images to be cognizant of the relevant configured time zone for either the chassis or the partition. When a partition is created, it defaults to the configured chassis time zone, but is independently configurable thereafter.

1120329-4 : CVE-2019-20044: In Zsh before 5.8, attackers able to execute commands can regain privileges dropped by the --no-PRIVILEGED option

Links to More Info: K000134672, BT1120329

1118109 : CVE-2019-15605: HTTP request smuggling in Node.js 10, 12, and 13 causes malicious payload delivery when transfer-encoding is malformed

Component: F5OS-A

Symptoms:
A flaw was found in the Node.js code where a specially crafted HTTP(s) request sent to a Node.js server failed to properly process the HTTP(s) headers, resulting in a request smuggling attack. An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is deployed behind a proxy server that reuses connections.

Conditions:
An attacker can use this flaw to alter a request sent as an authenticated user if the Node.js server is deployed behind a proxy server that reuses connections.

Impact:
An unauthorized user can gain access to the system.

Workaround:
N/A

Fix:
http-parser has been updated to http-parser-2.7.1-8.el7_7.2

1109345 : Intel CPU updates to resolve CVE-2022-21131, CVE-2022-21136, CVE-2022-21151, and CVE-2021-33117

Links to More Info: K43541501, BT1109345

1099069-1 : Issues with pulling files from F5OS device using SCP

Links to More Info: BT1099069

Component: F5OS-A

Symptoms:
Unable to pull packet capture files off of the F5OS device using SCP from admin.

Conditions:
Download packet capture files using SCP from the admin account.

Impact:
Unable to download packet capture files through SCP from admin.

Workaround:
N/A

Fix:
Added support to download files from more directories.

1096341-1 : During ISO import, the size was incorrectly displayed as 1

Links to More Info: BT1096341

Component: F5OS-A

Symptoms:
When the ISO file is copied to the /var/import/staging directory, during the verification phase the size of the ISO file was displayed as 1.

Conditions:
The size of the ISO file was shown as 1 during the verification phase.

Impact:
This was misleading as the file size was in terms of GBs.

Workaround:
None

Fix:
The problem has been fixed to display the ISO file size as - (hyphen) till the verification phase is completed.

1093105 : Apache vulnerability CVE-2022-22720

Links to More Info: K67090077

1091853-3 : CVE-2022-23308: libxml2 vulnerability

Links to More Info: K32760744, BT1091853

1069365-2 : Error shown when configuring known-host for file transfer when FIPS mode is enabled`

Component: F5OS-A

Symptoms:
"Host unreachable" error is sometimes displayed when FIPS mode is enabled, if a user tries to configure known-host. The ssh-keyscan fails, as ssh-keyscan is not using FIPS approved ciphers.

Conditions:
- FIPS mode is enabled
- User configures known-host for file transfer

Impact:
"Host unreachable" error is thrown.

Workaround:
N/A

Fix:
Updated ssh-keyscan to use FIPS approved ciphers when FIPS mode is enabled.

1060205 : CVE-2021-25214 bind: Broken inbound incremental zone update (IXFR) can cause named to terminate unexpectedly

Links to More Info: K11426315

1060193-3 : e2fsprogs vulnerability: CVE-2019-5188

Links to More Info: K06014092, BT1060193

1052821-1 : Apache HTTPD vulnerability CVE-2021-34798

Links to More Info: K72382141, BT1052821

1050261 : The "show components" component PSU does not show sn/pn after PSU hot-swap

Links to More Info: BT1050261

Component: F5OS-A

Symptoms:
The "show components" command displays the wrong state for the PSU when the PSU has been physically removed.

Conditions:
When the PSU is hot-swapped on the hardware.

Impact:
After the PSU is hot-swapped on the hardware, the "show components" command displays the wrong state for the PSU.

Workaround:
N/A

Fix:
The "show components" command displays the correct state/data for the PSU when the PSU has been physically removed.

1047689 : sw_rbcast core file found on system

Links to More Info: BT1047689

Component: F5OS-A

Symptoms:
partition_sw_rbcast producing core.

Conditions:
Starting a tenant which requires the sw_rbcast container.

Impact:
The sw_rbcast process crashes and produces a core file.

Fix:
A new version of sw_rbcast correctly handles tenant broadcast packets.