2261661 : CVE-2022-28131: golang: encoding/xml: stack exhaustion in Decoder.Skip

Component: F5OS-A

Symptoms:
A flaw was found in golang encoding/xml. When calling Decoder, Skip while parsing a deeply nested XML document, a panic can occur due to stack exhaustion and impacts system availability.

Conditions:
Need local access

Impact:
a panic can occur due to stack exhaustion and impacts system availability.

Workaround:
restrict the local access

Fix:
updated go version in which this CVE fixed.

2261657 : CVE-2022-28131 - Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows an attacker to cause a panic due to stack exhaustion via a deeply nested XML document.

Component: F5OS-A

Symptoms:
Uncontrolled recursion in Decoder.Skip in encoding/xml before Go 1.17.12 and Go 1.18.4 allows to cause a panic due to stack exhaustion via a deeply nested XML document.

Conditions:
NA

Impact:
It can lead to a denial of service by crashing the effected services.

Workaround:
NA

Fix:
Go version has been updated to a non-vulnerable version.

2228961-1 : CVE-2026-25749 : Vim: Arbitrary code execution via 'helpfile' option processing

Component: F5OS-A

Symptoms:
Vim's tag file resolution logic allows a local attacker to achieve a out-of-bounds write. By providing a specially crafted helpfile option value a local user can trigger a heap buffer overflow, as consequence lead to memory corruption presenting a data integrity impact or leading the vim process to crash resulting in availability impact. Although being non-trivial and very complex, arbitrary code execution is not discarded as worst case scenario.

Conditions:
a local user provides or opens a specially crafted 'helpfile' option value or help/tag file

Impact:
Leading to impact on confidentiality, integrity, and availability, within the privileges of the local user.

Workaround:
N/A

Fix:
updated to the fixed version

2227221-3 : F5OS tpm-integrity-status is Unavailable on certain versions released since October 2025

Links to More Info: BT2227221

Component: F5OS-A

Symptoms:
When you run show components component state tpm-integrity-status, the TPM integrity status reports "Unavailable"

# show components component state tpm-integrity-status

          TPM
          INTEGRITY
NAME STATUS
-----------------------
platform Unavailable

Conditions:
-- Running the tpm-integrity-status command from F5OS-A or F5OS-C on rSeries or VELOS:
- VELOS systems running F5OS-C versions 1.8.2, 1.8.2-EHF, or 1.6.4
- rSeries systems running F5OS-A versions 1.8.3, 1.8.3-EHF, or 1.5.4
- EHFs built after October 15, 2025, including EHFs posted to MyF5 downloads in October such as:
  - F5OS-A-1.8.3-23493.R5R10.EHF-1
  - F5OS-C-1.8.2-28324.CONTROLLER.EHF-1
  - F5OS-C-1.8.2-28324.PARTITION.EHF-1

-- The calendar date is on or after April 4, 2026

Impact:
The tpm-integrity-status output reads Unavailable after April 4th, 2026.

Workaround:
If it is before April 4, 2026, you can run 'show components component state tpm-integrity-status' to get the TPM status.

2219813-3 : Empty File path in upload api leads to core

Links to More Info: BT2219813

Component: F5OS-A

Symptoms:
The utils-agent service crashes

Conditions:
Provide an empty file path to the upload api

Impact:
Utils-agent crashes and generates a core.

Workaround:
None

Fix:
Empty/Null check added for file path field in upload api to make sure no crash in utils-agent service.

2218489-2 : CVE-2025-38085 kernel: mm/hugetlb: fix huge_pmd_unshare() vs GUP-fast race

Component: F5OS-A

Symptoms:
Unexpected memory access behavior may occur due to race conditions in huge page management

Conditions:
Occurs on vulnerable kernel versions during concurrent memory operations involving huge pages (hugetlb) and fast page pinning (GUP-fast)

Impact:
May lead to unintended access to memory belonging to another process, potentially exposing sensitive information

Workaround:
N/A

Fix:
Fixed

2218469-1 : CVE-2025-39817: kernel: efivarfs: Fix slab-out-of-bounds in efivarfs_d_compare

Component: F5OS-A

Symptoms:
A slab-out-of-bounds exists in the linux kernel in efivarfs_d_compare, such that the issue can be triggered by parallel lookups using an invalid filename due to an incorrect memcmp function.

Conditions:
Occurs during concurrent efivarfs lookups with malformed or invalid EFI variable filenames, typically requiring local privileged access

Impact:
May lead to kernel instability or crash.

Workaround:
N/A

Fix:
The kernel has been updated to the fixed version.

2218437-1 : CVE-2025-37797: kernel: net_sched: hfsc: Fix a UAF vulnerability in class handling

Links to More Info: K000160078

2218133-1 : CVE-2026-0915: glibc: glibc: Information disclosure via zero-valued network query

Component: F5OS-A

Symptoms:
A flaw was found in glibc, the GNU C Library. When an application calls the getnetbyaddr or getnetbyaddr_r functions to resolve a network address, and the system's nsswitch.conf file is configured to use a DNS (Domain Name System) backend for network lookups, a query for a zero-valued network can lead to the disclosure of stack memory contents.

Conditions:
DNS must be enabled in nsswitch config.

Impact:
Sensitive data gain.

Workaround:
NA

Fix:
Fixed

2211261-1 : Enable login-attribute to work with UPN based authentication in F5OS

Component: F5OS-A

Symptoms:
Authentication using userPrincipalName is not enabled by default in F5OS.

Conditions:
In F5OS, When configured active_directory to true and trying to authenticate the user with userPrincipalName instead of sAMAccountName will fail.

Impact:
Authentication using userPrincipalName will fail in F5OS for active directory based remote authentications.

Workaround:
1. Configure login-attrribute to userPrincipalName from ConfD CLI as below:
system aaa authentication ldap login-attrribute userPrincipalName

2. For client based UPN authentication -
   a. Client Certificates should have been generated using UPN name
   b. Configure in which field we need to fetch username in confd via "system aaa authentication clientcert config client-cert-name-field"
   c. Configure login-attribute as userPrincipalName in confd via "system aaa authentication ldap login-attrribute userPrincipalName"



Note:
We can configure login-attribute via confd cli or restconf api. In this release there is no support to configure login-attribute from GUI.

Fix:
Added configurable parameter in confd to enable "userPrincipalName" based authentication.

2209005-1 : TLS client authentication for LDAP servers not working

Links to More Info: BT2209005

Component: F5OS-A

Symptoms:
F5OS does not authenticate to LDAP servers.

Conditions:
- LDAP authentication in F5OS configured to use a client certificate and key ("system aaa authentication ldap tls_cert" and "system aaa authentication ldap tls_key").
- Either or both of the following:
-- An LDAP group mapping is configured (ldap-group specified for a role)
-- Active Directory enabled and Unix Attributes disabled

Impact:
F5OS is unable to connect to the LDAP server

Workaround:
None

2207865-1 : Snmpwalk misses LAG interface stats intermittently

Links to More Info: BT2207865

Component: F5OS-A

Symptoms:
Though the LAG interface is configured in system, some stats for the LAG interface will be missed in snmpwalk output intermittently.

Conditions:
Issue is rarely observed when running snmpwalk in a loop continuously.

Impact:
Snmpwalk may not display all statistics for the LAG interfaces.

Workaround:
Run snmpwalk after a 20 second delay.

Fix:
Ensured all LAG interface statistics are properly reported in SNMP walk output.

2201365-1 : Intermittent webUI startup failure after F5OS v1.8.x upgrade caused by SSL certificate generation issue

Component: F5OS-A

Symptoms:
In rare cases after upgrading to F5OS v1.8.x, the Web GUI (httpd) may fail to start. System logs may show a missing ServerName directive, and the /etc/auth-config/default/f5os.cert file may be missing or zero bytes.

Conditions:
This issue can occur in certain scenarios where the upgrade process fails to properly generate or retain the f5os.cert certificate file, and the authentication-manager does not recover from the missing or empty certificate, resulting in an invalid httpd configuration.

Impact:
The webUI is completely unavailable. CLI and API access remain functional.

Workaround:
Restart the authentication-mgr and http-server services using the following CLI command:
 
system diagnostics os-utils docker restart node platform service authentication-mgr

system diagnostics os-utils docker restart node platform service http-server

2201053-1 : WebUI Connection may be refused After Upgrading to version F5OS-A 1.8.3

Component: F5OS-A

Symptoms:
After upgrading from version 1.5.3 to 1.8.3, access to the WebUI is no longer available. All connection attempts result in a "connection refused" error.

Conditions:
Occurs when upgrading from v1.5.3 to v1.8.3

Impact:
WebUI becomes inaccessible.

Workaround:
None.

2198665-2 : CVE-2021-3737: python: urllib: HTTP client possible infinite loop on a 100 Continue response

Links to More Info: K000159893

2183789-1 : FDB entries may expire when multiple entries hash to the same FPGA table index and traffic is intermittent

Links to More Info: BT2183789

Component: F5OS-A

Symptoms:
L2/FDB entries may expire even when traffic is arriving at the FPGA of the Appliance or VELOS Blade.

Conditions:
L2 entries which internally hash to the same table index inside the FPGA can lead to the expiration of the entry when traffic is arriving on intervals of more than 30 seconds from that MAC address. On each interval, an age refresh message might be lost, leading to decrement the age of the entry on 30 seconds. When the entry reaches the last period it will expire, and then it will be re-learnt again.

Impact:
The expiration of the FDB entry can lead to Destination Lookup Failures that are rate-limited, i.e. traffic loss. Depending on the scenario this could lead to intermittent potential outages between the entry expires, and it is learnt again.

Workaround:
Create a static FDB entry for the MAC address that suffers expiration issues. See K000152328.

Ensure that traffic from the MAC address expiring arrives continuously under 30 seconds intervals.

Open a Support case and request an EHF.

2182497 : CVE-2025-38352: kernel: posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del()

Component: F5OS-A

Symptoms:
A race condition was found in the Linux kernel’s POSIX CPU timer handling, where handle_posix_cpu_timers() may run concurrently with posix_cpu_timer_del() on an exiting task which could result in use-after-free scenarios. An attacker with local user access could use this flaw to crash or escalate their privileges on a system.

Conditions:
NA

Impact:
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Fix:
Kernel has been updated to a non-vulnerable version.

2181821-1 : CVE-2025-38614 kernel: eventpoll: semi-unbounded recursion

Component: F5OS-A

Symptoms:
A flaw in the Linux kernel eventpoll subsystem allows a local unprivileged user to create deeply nested epoll structures, leading to excessive recursion and potential kernel stack exhaustion, resulting in a denial of service

Conditions:
a local unprivileged user creates deeply nested epoll file descriptor chains via standard epoll system calls

Impact:
resulting in denial of service; no impact to confidentiality or integrity

Workaround:
N/A

Fix:
Fixed

2181801-1 : CVE-2025-38498 kernel: do_change_type(): refuse to operate on unmounted/not ours mounts

Component: F5OS-A

Symptoms:
A flaw in do_change_type() allowed a process to change mount propagation flags on mounts outside its own mount namespace, breaking expected isolation guarantees. This could enable a local attacker with mount privileges to disrupt or alter mount behavior in other namespaces, potentially causing system-wide denial of service.

Conditions:
NA

Impact:
denial of service

Workaround:
N/A

Fix:
updated to fixeed version

2181757-1 : CVE-2022-50367 kernel: fs: UAF/GPF bug in nilfs_mdt_destroy

Links to More Info: K000158972

2181681-1 : CVE-2023-53373 kernel: crypto: seqiv - Handle EBUSY correctly

Links to More Info: K000159889

2171937-1 : The Virtual Server is not receiving traffic due to an incorrect VLAN update from F5OS platform

Links to More Info: BT2171937

Component: F5OS-A

Symptoms:
When a specific native VLAN is configured for a port in virtual-wire, the incoming packets still arrive with VLAN ID 4094, while the Virtual Server expects traffic with the configured VLAN ID.

Conditions:
Configuring a specific native vlan on a port and then configuring it in virtual-wire.

Impact:
When enabling/disabling virtual-wire mode on a port with a configured native VLAN, the port default VLAN was being set with values (4094 for vwire enable, 4095 for vwire disable), ignoring any existing native VLAN configuration.

Workaround:
Once the virtual-wire is configured on the port, if the remove and re-add the native vlans to the interfaces, the hardware should get programmed correctly.

Fix:
Added a fix such that ensure native VLAN configuration is respected and preserved throughout the virtual-wire lifecycle.

2162969-4 : CVE-2022-50356 kernel: net: sched: sfb: fix null pointer access issue when sfb_init() fails

Links to More Info: K000160222

2152949-2 : Disabled ports or port mode mismatchs can cause bad register reads.

Links to More Info: BT2152949

Component: F5OS-A

Symptoms:
When a Front panel port is disabled or the port mode is mismatched, it can cause incorrect register reads. This may manifest as port interface flapping on other unrelated ports.

Conditions:
Front Panel Port is disabled or a port mode mismatch, such as a 100GE optic installed when the port is configured for 40GE operating mode.

Impact:
The status on other interfaces may incorrectly show ‘down’ when the interface is ‘up’ or other unexpected behavior.

Workaround:
Enable all Front Panel ports, even those not in use, and ensure there are no port mode mismatches.

Fix:
Updated FPGA firmware is required for the fix.

2151413-2 : TACACS External Authentication Failure after a software upgrade

Links to More Info: BT2151413

Component: F5OS-A

Symptoms:
TACACS users are not able to login to the device.

Conditions:
TACACS+ server sends back an authorization reply with an auth status of 'PASS_REPL' (pass + *replace all attributes*) instead of 'PASS_ADD' (pass + *add* to attributes)

Impact:
TACACS users will be unable to log in when the server is configured under the specified conditions.

Workaround:
Avoid using PASS_REPL on Tacacs server.

Fix:
After upgrading device to latest EHF build, the issue is not reproduced.

2151269-1 : Prompt-statusd process occasionally cores

Links to More Info: BT2151269

Component: F5OS-A

Symptoms:
Occasionally the prompt-statusd daemon will core.

Conditions:
This can occur in prompt-statusd during normal operation.

Impact:
After core, service will restart the operation

Workaround:
None

2144597-1 : CVE-2023-45803: urllib3: Request body not stripped after redirect from 303 status changes request method to GET

Component: F5OS-A

Symptoms:
urllib3 may improperly retain HTTP request bodies during redirects (301/302/303) when converting requests to GET, potentially exposing sensitive data. Exploitation requires a compromised trusted service and is considered low risk.

Conditions:
N/A

Impact:
Potential exposure of sensitive data from HTTP request bodies to unintended endpoints during redirects

Workaround:
N/A

Fix:
updated to the fixed version

2132141-1 : Interface 8.0 on r2000 and r4000-series F5OS appliances does not join LACP LAG or transmit LLDP BPDUs after upgrade to F5OS-A 1.8.3★

Links to More Info: BT2132141

Component: F5OS-A

Symptoms:
- Interface 8.0 has an operational status of UP
- Interface 8.0 does not join a LACP LAG.
- Interface 8.0 does not transmit any LLDP packets.
- Log messages similar to the following in the platform.log:

nic-manager[8]: priority="Err" version=1.0 msgid=0x720c000000000003 msg="Error NULL interface descriptor".

Conditions:
- Running an affected version of F5OS-A.
- An r2000-series or r4000-series appliance. This issue does not affect r5000-, r10000-, or r12000-series appliances.
- Interface 8.0 is in a LACP LAG.

Impact:
Interface 8.0 is not able to negotiate and join a LACP LAG

Workaround:
This issue is fixed in F5OS-A 1.8.3 EHF-1, which is available for download on MyF5: https://my.f5.com/manage/s/downloads?productFamily=F5OS&productLine=F5OS+Appliance+Software&version=1.8.3&container=1.8.3-EHF

2131773-1 : Error message IDs for image-agent do not match those documented in the error catalog

Links to More Info: BT2131773

Component: F5OS-A

Symptoms:
Some of the message ids logged by the image-agent service in platform log do not match the error message id in the catalog.

Conditions:
Looking up image-agent logs by ID in the error message catalog.

Impact:
This discrepancy makes it difficult to correlate system logs with documentation for troubleshooting and support.

Workaround:
None

Fix:
Updated the error catalog message IDs correctly.

2131677-2 : PSU inventory data shows "Not Available" on F5OS-A

Links to More Info: BT2131677

Component: F5OS-A

Symptoms:
After PSU power test, F5OS reports PSU serial/part number as "Not Available" and shows empty state. Platform-hal logs "wrong common header format version: 0" and "wrong zero checksum 255 != 254" errors. PSU functions normally but inventory data unavailable.

Conditions:
Occurs after PSU power test/reseat
PSU FRU EEPROM corrupted
Failed to read the Seriel number.

Impact:
Incorrect PSU inventory display.

Workaround:
None

2131529-1 : CVE-2025-8058: glibc: Double free in glibc

Links to More Info: K000157129

2131429-1 : init_etile: Cable check failed

Links to More Info: BT2131429

Component: F5OS-A

Symptoms:
F5 rSeries Appliances may experience issues with port bringup when using an OPT-0036 in 4x10G bifurcated (breakout) mode. The system log will show an “init_etile: Cable check failed” message for one or more of the bifurcated ports. The system will not be able to establish a link on the port and the port status will remain down.

Conditions:
rSeries Appliance using an OPT-0036 in 4x10G breakout mode running F5OS-A-1.8.3 or earlier.

Impact:
Port remains down.

Workaround:
None. Requires F5OS update.

Fix:
Fixed in F5OS-A-1.8.3-25023-EHF-6 and later.

2131057-1 : CVE-2016-2148: Heap-based buffer overflow in the DHCP client, affecting BMC firmware

Links to More Info: K000156994

2130793-2 : CVE-2025-47268 iputils: Signed Integer Overflow in Timestamp Multiplication in iputils ping

Links to More Info: K000158112

2130773-4 : CVE-2025-48964 iputils: iputils integer overflow

Component: F5OS-A

Symptoms:
An integer overflow flaw has been discovered in the ping function within the iputils package. This overflow may allow an attacker to craft an ECHO reply which can prevent iputils from operating normally.

Conditions:
ping to the system.

Impact:
This issue may allow an attacker to craft an ECHO reply which can prevent iputils from operating normally.

Workaround:
NA

Fix:
Fixed

2107157 : OpenSSL security vulnerability (CVE-2025-9230)

Links to More Info: K000159887

2106705 : CVE-2025-22868: golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws

Component: F5OS-A

Symptoms:
A flaw was found in the golang.org/x/oauth2/jws package in the token parsing component. This vulnerability is made possible because of the use of strings.Split(token, ".") to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of . characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.

Conditions:
Occurs when an affected version of the golang.org/x/oauth2/jws package is present and used for JWT token parsing.

Impact:
The affected service may experience elevated memory usage or degraded performance when handling specific input data.

Workaround:
NA

Fix:
The issue has been addressed by removing the unused golang.org/x/oauth2/jws service from F5OS.

2088601-1 : The anaconda-ssh service fails to start during installation phase, preventing remote SSH access

Component: F5OS-A

Symptoms:
SSH access is unavailable when using the inst.sshd boot parameter to enable remote debugging or Kickstart monitoring.

Conditions:
To enable SSH access and troubleshoot boot issues during the bare metal installation process.

Impact:
Blocks remote debugging over SSH during the bare metal installation process.

Workaround:
Need to trobleshoot through console only.

Fix:
Enabled the eno1 physical port and resolved the OpenSSL and OpenSSH compatibility.

2078301 : Dagd may crash if a malicious message is sent from the tenant

Links to More Info: K000156796, BT2078301

2063565-1 : CVE-2022-23219: glibc: Stack-based buffer overflow in sunrpc clnt_create via a long pathname

Links to More Info: K52308021, BT2063565

2063545-1 : CVE-2022-23218: glibc: Stack-based buffer overflow in svcunix_create via long pathnames

Links to More Info: K52308021, BT2063545

2053301-2 : Upon reaching maximum memory capacity, BIG-IP tenant pods intermittently regenerated after a host reboot

Links to More Info: BT2053301

Component: F5OS-A

Symptoms:
BIG-IP Tenant Pods will keep restarting forever.

On host(root access)# kubectl get pods

Ex:
# kubectl get pods
NAMESPACE NAME READY STATUS RESTARTS AGE
default f5-resource-manager-jlv5q 1/1 Running 0 7h9m
default virt-launcher-v171x-1-xnk5s 1/1 Running 0 2m15s ==========>
default virt-launcher-v175x-1-24d9w 1/1 Running 0 2m4s ==========>
default virt-launcher-new-183-tenant-1-2nz9q 0/1 Running 0 15s ===========>
default virt-launcher-v151x-1-bqqr5 0/1 Init:0/1 0 2s

The status of the BIG-IP tenants on F5OS user CLI might show as "Started Tenant Instance" but the tenants will not be accessible.

Conditions:
One or more tenants are configured to utilize all available memory and the host undergoes a reboot.

Impact:
The BIG-IP tenants will not reachable.
No impact to BIG-IP's data.

Workaround:
With root access to the F5OS host, run the below command on bash shell:
# docker restart system_fpga

after few(~5) min the BIG-IP tenants will be reachable.

Fix:
A command should be executed on F5OS with root privileges to recover the tenants from inaccessible state.

2050869-2 : CVE-2022-41721 x/net/http2/h2c: request smuggling

Component: F5OS-A

Symptoms:
A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection, it will instead read the body of the HTTP request, which could be attacker-manipulated to represent arbitrary HTTP2 requests.

Conditions:
NA

Impact:
Potentially leading to the server misinterpreting request boundaries and processing unintended or malicious HTTP/2 requests.

Workaround:
NA

Fix:
Upgraded to golang.org/x/net v0.38.0

2050865-2 : CVE-2021-44716 golang: net/http: limit growth of header canonicalization cache

Component: F5OS-A

Symptoms:
There's an uncontrolled resource consumption flaw in golang's net/http library in the canonicalHeader() function. An attacker who submits specially crafted requests to applications linked with net/http's http2 functionality could cause excessive resource consumption that could lead to a denial of service or otherwise impact to system performance and resources.

Conditions:
NA

Impact:
Can trigger excessive resource and CPU consumption

Workaround:
NA

Fix:
Upgraded to golang.org/x/net v0.38.0

2050861-2 : CVE-2021-33194 golang: x/net/html: infinite loop in ParseFragment

Component: F5OS-A

Symptoms:
A flaw was found in golang. An attacker can craft an input to ParseFragment within parse.go that would cause it to enter an infinite loop and never return. The greatest threat to the system is of availability.

Conditions:
NA

Impact:
A specially crafted input may cause ParseFragment to enter an infinite loop, resulting in application hang and denial of service.

Workaround:
NA

Fix:
Upgraded to golang.org/x/net v0.38.0

2050853-2 : CVE-2020-28852 golang.org/x/text: Panic in language.ParseAcceptLanguage while processing bcp47 tag

Component: F5OS-A

Symptoms:
A flaw was found in golang.org. In x/text, a "slice bounds out of range" panic occurs in language.ParseAcceptLanguage while processing a BCP 47 tag.

Conditions:
An affected version of the golang.org/x/text library is present and the language.ParseAcceptLanguage function processes certain malformed BCP 47 language tags.

Impact:
May cause a "slice bounds out of range" panic

Workaround:
NA

Fix:
This issue is resolved by upgrading to golang.org/x/text v0.23.0.

2050845-2 : CVE-2022-32149 golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags

Component: F5OS-A

Symptoms:
A vulnerability was found in the golang.org/x/text/language package. An attacker can craft an Accept-Language header which ParseAcceptLanguage will take significant time to parse. This issue leads to a denial of service, and can impact availability.

Conditions:
NA

Impact:
May cause excessive CPU usage, leading to significant performance degradation

Workaround:
NA

Fix:
Upgraded to golang.org/x/text v0.23.0

2050841-2 : CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension

Component: F5OS-A

Symptoms:
A flaw was found in golang.org. In x/text, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension.

Conditions:
NA

Impact:
May cause an "index out of range" panic

Workaround:
NA

Fix:
Upgraded to golang.org/x/text v0.23.0

2050833-2 : CVE-2021-38561 golang: out-of-bounds read in golang.org/x/text/language leads to DoS

Component: F5OS-A

Symptoms:
A flaw was found in golang. The language package for go language can panic due to an out-of-bounds read when an incorrectly formatted language tag is being parsed. This flaw allows an attacker to cause applications using this package to parse untrusted input data to crash, leading to a denial of service of the affected component.

Conditions:
NA

Impact:
May trigger an out-of-bounds read and application panic, leading to a denial of service.

Workaround:
NA

Fix:
Upgraded to golang.org/x/text v0.23.0

2050801 : CVE-2017-16539 docker: The DefaultLinuxSpec function does not block /proc/scsi pathnames

Component: F5OS-A

Symptoms:
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.

Conditions:
The Docker engine version is earlier than 1.13.1 and
Docker containers are started with capabilities that allow write access to /proc/scsi/scsi.

Impact:
Containers with sufficient privileges could potentially remove SCSI devices from the host system, resulting in data loss or device unavailability.

Workaround:
NA

Fix:
This vulnerability is not present in Docker version v1.13.1 or later.

2050793 : CVE-2024-36623 moby: Race Condition in Moby's streamformatter Package

Component: F5OS-A

Symptoms:
A flaw was found in Moby's streamformatter package. This vulnerability allows data corruption or application crashes via multiple concurrent write operations triggered by a race condition

Conditions:
NA

Impact:
Users may experience data inconsistencies or unexpected termination of the application when concurrent write operations are invoked under specific runtime conditions.

Workaround:
NA

Fix:
This issue has been addressed with a fix

2050789 : CVE-2025-22868 golang.org/x/oauth2/jws: Unexpected memory consumption during token parsing in golang.org/x/oauth2/jws

Component: F5OS-A

Symptoms:
A flaw was found in the golang.org/x/oauth2/jws package in the token parsing component. This vulnerability is made possible because of the use of strings.Split(token, ".") to split JWT tokens, which can lead to excessive memory consumption when processing maliciously crafted tokens with a large number of . characters. An attacker could exploit this functionality by sending numerous malformed tokens and can trigger memory exhaustion and a Denial of Service.

Conditions:
An affected version of the golang.org/x/oauth2/jws package is present and used to parse JWT tokens.

Impact:
Can lead to excessive memory consumption, potentially resulting in memory exhaustion and denial of service.

Workaround:
NA

Fix:
Upgraded to golang.org/x/oauth2 v0.28.0

2050701 : CVE-2025-58754 axios: Axios DoS via lack of data size check

Component: F5OS-A

Symptoms:
Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to versions 0.30.2 and 1.12.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so when supplied a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Versions 0.30.2 and 1.12.0 contain a patch for the issue.

Conditions:
Axios version prior to 0.30.2 and 1.12.0 is present and used in a Node.js environment to process URLs with the data: scheme.

Impact:
This will lead to DoS.

Workaround:
NA

Fix:
Axios has been updated

2047717-1 : PlatformStatsBridge process crash

Links to More Info: BT2047717

Component: F5OS-A

Symptoms:
The PlatformStatsBridge process crashes on SIGSEGV, creates a core file. The associated Docker container goes into "Exited" state.

SNMP failures and webUI errors occur, indicating the server or underlying service is unreachable.

Conditions:
Issue occurs occasionally, when an snmp request tries fetching diskUsagePercentage on platform stats.

Impact:
The Docker container does not restart automatically as expected.

Workaround:
None

Fix:
The support for diskUsagePercentage MIB has been reverted.

2044517-2 : Changing LDAP configuration via the GUI results in an unexpected error

Links to More Info: BT2044517

Component: F5OS-A

Symptoms:
Changing LDAP configuration on GUI errors out with the following error message - "object is not writable:
/oc-sys:system/oc-sys:aaa/oc-sys:authentication/f5-aaa-ldap:ldap/f5-aaa-ldap:state"

Conditions:
When using a Windows Active Directory (AD) server and LDAP settings are configured with Active Directory authentication enabled (true) and Unix Attributes disabled (false).

Impact:
You are unable to make LDAP configuration changes via the GUI.

Workaround:
Make the configuration change from CLI.

Fix:
GUI will not modify the read-only state part of the LDAP configuration and allow user to save the LDAP configuration changes.

2009765-1 : Tcpdump may crash with "malloc(): corrupted top size" when using complex BPF filters

Links to More Info: BT2009765

Component: F5OS-A

Symptoms:
Running tcpdump with complex or long BPF filter expressions may result in a crash with the error message:
malloc(): corrupted top size

Conditions:
This issue occurs when tcpdump is invoked with a filter expression containing multiple conditions or a long filter string, especially when run via the system diagnostics

Impact:
Packet capture operations fails and no data is collected. This may impact troubleshooting or monitoring activities that rely on tcpdump.

Workaround:
None

Fix:
Tcpdump has been updated to reliably support complex and long filter expressions. The utility now validates filter input to prevent errors, ensuring stable and consistent packet capture operations

2008753-2 : Privilege Escalation to Admin via SSH Port Forwarding

Links to More Info: K000156771

2008505-4 : F5OS SCP hardening

Links to More Info: K000156771, BT2008505

2000389-2 : CVE-2018-10105 - tcpdump: SMB data printing mishandled

Links to More Info: K000156675, BT2000389

1999777-2 : CVE-2018-10103 - tcpdump: SMB data printing mishandled

Links to More Info: K000156675, BT1999777

1998753-1 : CVE-2021-3516 libxml2: Use-after-free in xmlEncodeEntitiesInternal() in entities.c

Component: F5OS-A

Symptoms:
There's a flaw in libxml2's xmllint in versions before 2.9.11. An attacker who is able to submit a crafted file to be processed by xmllint could trigger a use-after-free. The greatest impact of this flaw is to confidentiality, integrity, and availability.

Conditions:
NA

Impact:
May trigger a use-after-free condition

Workaround:
Avoid processing untrusted or unknown XML files

Fix:
Applied upstream patches.

1998541-1 : CVE-2021-3518 libxml2: Use-after-free in xmlXIncludeDoProcess() in xinclude.c

Component: F5OS-A

Symptoms:
There's a flaw in libxml2. An attacker who is able to submit a crafted file to be processed by an application linked with libxml2 could trigger a use-after-free. The greatest impact from this flaw is to confidentiality, integrity, and availability.

Conditions:
NA

Impact:
May trigger a use-after-free condition

Workaround:
Avoid processing untrusted or unknown XML files

Fix:
Applied upstream patches.

1998521-1 : CVE-2021-3517 libxml2: Out-of-Bounds Read in XML Entity Encoding Functionality

Links to More Info: K03179547, BT1998521

1998417-1 : CVE-2022-29824 libxml2: Integer Overflow in Buffer Handling Functions Leading to Out-of-Bounds Writes

Component: F5OS-A

Symptoms:
In libxml2 before 2.9.14, several buffer handling functions in buf.c (xmlBuf*) and tree.c (xmlBuffer*) don't check for integer overflows. This can result in out-of-bounds memory writes. Exploitation requires a victim to open a crafted, multi-gigabyte XML file. Other software using libxml2's buffer functions, for example libxslt through 1.1.35, is affected as well.

Conditions:
libxml2 before 2.9.14

Impact:
may trigger integer overflows in buffer handling functions, leading to out-of-bounds memory writes

Workaround:
Avoid processing untrusted or unusually large XML files

Fix:
Applied upstream patch

1998265-1 : CVE-2021-3537 libxml2: NULL Dereference Due to Improper Error Handling in Mixed Content Parsing Ask Explain

Component: F5OS-A

Symptoms:
A vulnerability found in libxml2 in versions before 2.9.11 shows that it did not propagate errors while parsing XML mixed content, causing a NULL dereference. If an untrusted XML document was parsed in recovery mode and post-validated, the flaw could be used to crash the application. The highest threat from this vulnerability is to system availability.

Conditions:
libxml2 versions before 2.9.11

Impact:
May trigger a NULL pointer dereference

Workaround:
Avoid processing untrusted or unknown XML documents in recovery mode

Fix:
Applied upstream patches.

1998233-1 : CVE-2017-9047 libxml2: Buffer Overflow in xmlSnprintfElementContent

Component: F5OS-A

Symptoms:
A buffer overflow was discovered in libxml2 20904-GITv2.9.4-16-g0741801. The function xmlSnprintfElementContent in valid.c is supposed to recursively dump the element content definition into a char buffer 'buf' of size 'size'. The variable len is assigned strlen(buf). If the content->type is XML_ELEMENT_CONTENT_ELEMENT, then (i) the content->prefix is appended to buf (if it actually fits) whereupon (ii) content->name is written to the buffer. However, the check for whether the content->name actually fits also uses 'len' rather than the updated buffer length strlen(buf). This allows us to write about "size" many bytes beyond the allocated memory. This vulnerability causes programs that use libxml2, such as PHP, to crash.

Conditions:
An affected version of libxml2 (up to and including v2.9.4) is present and processes XML elements with complex content definitions using the xmlSnprintfElementContent function.

Impact:
A specially crafted XML file may trigger a buffer overflow

Workaround:
Avoid processing untrusted or specially crafted XML files

Fix:
Applied upstream patches.

1997969-1 : CVE-2017-16931 libxml2: Improper Handling of Parameter-Entity References

Component: F5OS-A

Symptoms:
parser.c in libxml2 before 2.9.5 mishandles parameter-entity references because the NEXTL macro calls the xmlParserHandlePEReference function in the case of a '%' character in a DTD name.

Conditions:
libxml2 before 2.9.5

Impact:
May trigger improper handling of parameter-entity references, possibly leading to unexpected behavior

Workaround:
Avoid processing untrusted or unknown XML files

Fix:
Applied upstream patches.

1996657 : CVE-2022-2817 vim: heap use-after-free in string_quote() at src/strings.c

Component: F5OS-A

Symptoms:
A use-after-free vulnerability was found in Vim in the string_quote function in the strings.c file. This issue occurs because an already freed memory is used when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the use-after-free, causing the application to crash, possibly executing code and corrupting memory.

Conditions:
vim prior to 9.0.0212

Impact:
May trigger a use-after-free condition

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1996609 : CVE-2022-3296 vim: out-of-bound write in function ml_append_int

Component: F5OS-A

Symptoms:
A stack-based buffer overflow vulnerability was found in vim's ex_finally() function of the src/ex_eval.c file. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a bug that causes an application to crash, possibly executing code and corrupting memory.

Conditions:
NA

Impact:
Users may observe unexpected termination or memory inconsistency during editing or buffer operations.

Workaround:
NA

Fix:
This issue has been adressed with a fix

1996593 : CVE-2022-3234 vim: Heap-based Buffer Overflow

Component: F5OS-A

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.0483.

Conditions:
NA

Impact:
The vim process may exit unexpectedly or produce inconsistent runtime behavior during editing.

Workaround:
NA

Fix:
The issue had been addressed with a fix

1996585 : CVE-2022-2816 vim: out-of-bounds read in check_vim9_unlet() at src/vim9cmds.c

Component: F5OS-A

Symptoms:
An out-of-bounds read vulnerability was found in Vim in the check_vim9_unlet function in the vim9cmds.c file. This issue occurs because of invalid memory access when compiling the unlet command when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the out-of-bounds read, causing the application to crash, possibly executing code and corrupting memory.

Conditions:
vim prior to 9.0.0211

Impact:
May trigger an out-of-bounds read

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1996529 : CVE-2022-2210 vim: out-of-bound write in function ml_append_int

Component: F5OS-A

Symptoms:
Out-of-bounds Write in GitHub repository vim/vim prior to 8.2.

Conditions:
vim prior to 8.2

Impact:
Could trigger an out-of-bounds write

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1996329 : CVE-2022-2580 vim: Out-of-bounds Read in vim

Component: F5OS-A

Symptoms:
A flaw was found in vim. The vulnerability occurs due to illegal memory access and leads to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.

Conditions:
vim prior to 9.0.0102

Impact:
May trigger a heap buffer overflow

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is fixed in vim-minimal-2:9.1

1996193 : CVE-2022-2285 vim: integer overflow in del_typebuf() at getchar.c

Component: F5OS-A

Symptoms:
Integer Overflow or Wraparound in GitHub repository vim/vim prior to 9.0.

Conditions:
vim prior to 9.0.

Impact:
May trigger an integer overflow or wraparound

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1995929 : CVE-2023-0433 vim: reading past the end of a line when formatting text

Component: F5OS-A

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.

Conditions:
NA

Impact:
Users may experience unexpected program termination or inconsistent runtime behavior when performing specific input processing or editing operations under certain conditions.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1995773 : CVE-2022-3256 vim: use-after-free in movemark() at mark.c

Component: F5OS-A

Symptoms:
A heap use-after-free vulnerability was found in vim's movemark() function of the src/mark.c file. This issue occurs because vim uses freed memory when 'autocmd' changes the mark. This flaw allows an attacker to trick a user into opening a specially crafted file, triggering a heap use-after-free that causes an application to crash, possibly executing code and corrupting memory.

Conditions:
NA

Impact:
Users may observe unexpected termination of the application, or internal memory inconsistencies, which under certain conditions could lead to unpredictable behavior beyond the editing session

Workaround:
NA

Fix:
The issue had been addressed with a fix

1995661 : CVE-2023-0512 vim: divide by zero in adjust_skipcol() at move.ca

Component: F5OS-A

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.1225.

Conditions:
NA

Impact:
Users may encounter unexpected program termination when window width becomes very narrow under certain input conditions.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1995613 : CVE-2022-2207 vim: heap-based buffer overflow in function ins_bs

Component: F5OS-A

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

Conditions:
vim prior to 8.2.

Impact:
May result in a heap-based buffer overflow

Workaround:
Do not open untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1995465 : CVE-2022-2889 vim: use-after-free in find_var_also_in_script() in evalvars.c

Component: F5OS-A

Symptoms:
A use-after-free vulnerability was found in Vim in the find_var_also_in_script function in the evalvars.c file. This issue occurs because an already freed memory is used when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the use-after-free, causing the application to crash, possibly executing code and corrupting memory.

Conditions:
NA

Impact:
Users may observe unexpected termination of the process

Workaround:
NA

Fix:
The issue has been adressed by improving internal memory handling for specific input conditions

1995445 : CVE-2022-2287 vim: out of bounds read in suggest_trie_walk() at spellsuggest.c

Component: F5OS-A

Symptoms:
Out-of-bounds Read in GitHub repository vim/vim prior to 9.0.

Conditions:
vim prior to 9.0

Impact:
May trigger an out-of-bounds read

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1995353 : CVE-2022-2581: vim: Out-of-bounds Read in vim src/regexp.c

Component: F5OS-A

Symptoms:
A flaw was found in vim. The vulnerability occurs due to illegal memory access and leads to a heap buffer overflow. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.

Conditions:
vim prior to 9.0.0104

Impact:
May trigger a heap buffer overflow

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1995349 : CVE-2022-2571 vim: Heap-based Buffer Overflow in vim

Component: F5OS-A

Symptoms:
A flaw was found in vim. The vulnerability occurs due to illegal memory access and leads to a heap buffer overflow vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.

Conditions:
vim prior to 9.0.0101

Impact:
May trigger a heap buffer overflow

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1995341 : CVE-2022-3352 vim: use after free

Component: F5OS-A

Symptoms:
Use After Free in GitHub repository vim/vim prior to 9.0.0614.

Conditions:
NA

Impact:
Users may observe unexpected termination of vim or internal memory inconsistencies during buffer operations.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1995337 : CVE-2020-28851 golang.org/x/text: Panic in language.ParseAcceptLanguage while parsing -u- extension

Component: F5OS-A

Symptoms:
A flaw was found in golang.org. In x/text, an "index out of range" panic occurs in language.ParseAcceptLanguage while parsing the -u- extension.

Conditions:
NA

Impact:
may cause a panic with "index out of range"

Workaround:
NA

Fix:
We are not using the package

1995157 : CVE-2022-2182 vim Heap-based Buffer Overflow

Component: F5OS-A

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

Conditions:
vim prior to 8.2.

Impact:
Could lead to a heap-based buffer overflow

Workaround:
Avoid opening files from untrusted sources

Fix:
This issue is addressed in vim-minimal-2:9.1

1995097 : CVE-2022-2125 vim Heap-based Buffer Overflow

Component: F5OS-A

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 8.2.

Conditions:
A vulnerable version of vim (prior to 8.2)

Impact:
Could result in a heap-based buffer overflow

Workaround:
Avoid opening untrusted or unknown files with vulnerable versions of vim.

Fix:
The issue is resolved in vim-minimal-2:9.1

1995077 : CVE-2022-2601 grub2: Buffer overflow in grub_font_construct_glyph() can lead to out-of-bound write and possible secure boot bypass

Component: F5OS-A

Symptoms:
A flaw was found where a maliciously crafted pf2 font could lead to an out-of-bounds write in grub2. A successful attack can lead to memory corruption and secure boot circumvention.

Conditions:
NA

Impact:
May trigger an out-of-bounds write

Workaround:
Avoid using untrusted or unknown pf2 font files

Fix:
Resolved by upgrading grub

1995037 : CVE-2022-3705 vim: a use after free in the function qf_update_buffernt

Component: F5OS-A

Symptoms:
A use-after-free vulnerability was found in Vim in the find_var_also_in_script function in the evalvars.c file. This issue occurs because an already freed memory is used when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the use-after-free, causing the application to crash, possibly executing code and corrupting memory.

Conditions:
NA

Impact:
Users may observe unexpected termination of vim or internal memory inconsistencies during quickfix buffer operations.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1994969 : CVE-2022-2946 vim-minimal-7.4.629-6.el7.x86_64.rpm: Use After Free in GitHub repository vim/vim prior to 9.0.0246

Component: F5OS-A

Symptoms:
A flaw was found in vim, where it is vulnerable to a use-after-free in the vim_vsnprintf_typval function. This flaw allows a specially crafted file to crash a program, use unexpected values, or execute code.

Conditions:
This issue can manifest when vim is used in workflows that handle dynamic input evaluation or formatted string operations.

Impact:
Users might see vim exit unexpectedly or behave inconsistently in those workflows.

Workaround:
NA

Fix:
The issue has been adressed

1994953 : CVE-2022-2284 vim: out of bounds read in utfc_ptr2len() at mbyte.c

Component: F5OS-A

Symptoms:
Heap-based Buffer Overflow in GitHub repository vim/vim prior to 9.0.

Conditions:
vim prior to 9.0.

Impact:
May trigger a heap-based buffer overflow

Workaround:
Do not open untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1994929 : CVE-2022-2819 vim: heap buffer overflow in compile_lock_unlock() at src/vim9cmds.c

Component: F5OS-A

Symptoms:
A flaw was found in vim. The vulnerability occurs due to illegal memory access and leads to a heap buffer overflow vulnerability. This flaw allows an attacker to input a specially crafted file, leading to a crash or code execution.

Conditions:
vim prior to 9.0.0210

Impact:
A specially crafted input file may trigger a heap buffer overflow.

Workaround:
Avoid opening untrusted or unknown files

Fix:
This issue is resolved in vim-minimal-2:9.1

1994669 : CVE-2023-0051 vim: heap-based buffer overflow in msg_puts_printf() in message.c

Component: F5OS-A

Symptoms:
A heap-based buffer overflow was found in Vim in the msg_puts_printf function in the message.c file. The issue occurs because of an invalid memory access when calculating the length of a string when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file into triggering the heap-based buffer overflow, causing the application to crash.

Conditions:
NA

Impact:
Users may observe unexpected termination of vim or memory inconsistencies during message formatting operations.

Workaround:
https://access.redhat.com/security/cve/cve-2023-0051

Fix:
This issue has been addressed with a fix

1994593 : CVE-2020-14363 - libX11: Integer overflow leading to double-free in locale handling

Component: F5OS-A

Symptoms:
An integer overflow vulnerability leading to a double-free was found in libX11. This flaw allows a local privileged attacker to cause an application compiled with libX11 to crash, or in some cases, result in arbitrary code execution. The highest threat from this flaw is to confidentiality, integrity as well as system availability.

Conditions:
The application must be compiled with libX11 using a vulnerable version (prior to 1.6.12)

Impact:
May result in a double-free condition, potentially causing the application to crash or, in some cases, leading to arbitrary code execution.

Workaround:
NA

Fix:
LibX11 has been removed, as it was unused

1994517 : CVE-2022-2126 vim: out of bounds read in suggest_trie_walk()

Component: F5OS-A

Symptoms:
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.

Conditions:
vim prior to 8.2

Impact:
Could lead to an out-of-bounds read

Workaround:
Do not open untrusted or unknown files

Fix:
This issue is fixed in vim-minimal-2:9.1

1994465 : CVE-2022-2862 vim: heap use-after-free in generate_PCALL() at src/vim9instr.c

Component: F5OS-A

Symptoms:
Use After Free in GitHub repository vim/vim prior to 9.0.0221.

Conditions:
vim prior to 9.0.0221.

Impact:
Successful exploitation may trigger a use-after-free condition

Workaround:
Do not open untrusted or unknown files

Fix:
This issue is addressed in vim-minimal-2:9.1

1994449 : CVE-2023-0054 vim-minimal-7.4.629-6.el7.x86_64.rpm: Out-of-bounds Write in GitHub repository vim/vim prior to 9.0.1145.

Component: F5OS-A

Symptoms:
An out-of-bounds write flaw was found in Vim, in the do_string_sub function in the eval.c file. The issue occurs because of an invalid memory access due to a missing check of the return value of the vim_regsub function when a specially crafted input is processed. This flaw allows an attacker who can trick a user into opening a specially crafted file to trigger the out-of-bounds write, causing the application to crash.

Conditions:
NA

Impact:
Users may experience unexpected termination of vim or internal inconsistencies during substitution operations.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1988997-3 : Tenant experiences master key decrypt error after F5OS api-svc-gateway restart

Component: F5OS-A

Symptoms:
After the F5OS API service gateway (api-svc-gateway) restarts, tenants may experience SecureVault errors while attempting to decrypt the master key. The tenant will be inoperative.

Logs similar to the following will be present in F5OS:

api-svc-gateway[13]: nodename=blade-2(p3) priority="Err" version=1.0 msgid=0x5803000000000011 msg="Crypto key installation failed:" ERRNOSTR="Lost connection to ConfD" LASTERR="EOF on socket to ConfD" ERRNO=45
api-svc-gateway[13]: nodename=blade-2(p3) priority="Err" version=1.0 msgid=0x5804000000000027 msg="No unit key was found in confd for tenant" TENANT="tenant1"

Logs similar to the following in the tenant:
err mcpd[5803]: 010713d0:3: Symmetric Unit Key decrypt failure - decrypt failure
notice mcpd[5803]: 01071029:5: Symmetric Unit Key decrypt
notice mcpd[5803]: 01071027:5: Master key OpenSSL error: 4007094004:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:664:

Conditions:
Issue is observed rarely when there is a recent restart (or power-cycle) of the system (specifically after a restart of the F5OS api-svc-gateway container).

Impact:
Unable to access tenants. Tenant restarts.

Workaround:
Restart the API service gateway and ensure it does not log errors while retrieving the tenant unit keys.
If the problem persists, restart the tenants.
If the problem continues to persist after number of tenant restarts, deploy new tenant and load UCS.

1976761-1 : System primary key is recreated when there is an error reading it from the hardware TPM

Links to More Info: BT1976761

Component: F5OS-A

Symptoms:
On F5OS appliances, if there is an error reading from the hardware TPM at some point, the system primary key is recreated but the ConfD database is not re-encrypted. When the system restarts at some point in the future, F5OS will be unable to decrypt the encrypted parts of the ConfD database, and will be unable to start up properly.

When the TPM read error happens, the following message is logged in the platform.log file:

"tpm has no data, writing new key"

However, the administrator will not notice a problem until the system is restarted. The restart could happen a significant time after the rewrite, and the above message may no longer be in the platform.log file.

After the restart, "Key header check failed" errors will be logged by the api-svc-gateway and orchestration-agent components. Note that these messages alone are not a definite indicator that the primary key was rewritten, as other issues can cause them to occur.

Conditions:
-- rSeries appliance
-- The system has been restarted after F5OS encounters an error when reading from the TPM.

Impact:
After the restart, the system is unusable and needs to be recreated.

Workaround:
None

1975309-1 : Logging from PAM modules only seen for SSH authentication, and not GUI/API authentication

Links to More Info: BT1975309

Component: F5OS-A

Symptoms:
Logging from PAM modules (e.g. pam_unix, pam_radius_auth, or pam_unix) is only captured in system logs when a user attempts to authenticate via SSH; no such logging occurs when authenticating via the F5OS GUI or API.

Conditions:
- F5OS system
- Attempting to troubleshoot issues related to authentication

Impact:
PAM module log messages are not logged anywhere.

The system does generate authentication success/failure messages that are captured in the audit.log, e.g.:

audit-service[12]: priority="Notice" version=1.0 msgid=0x1f03000000000012 msg="User authentication failed" reason="Invalid login attempt, user-id/password is incorrect" failcount=8 user="otters".

Workaround:
When troubleshooting authentication issues, attempt to log in via SSH. PAM modules will generate log messages that are captured in /var/log/secure and the systemd journal.

1975273-4 : RADIUS remote authentication specifying IPv6 server addresses does not work

Links to More Info: BT1975273

Component: F5OS-A

Symptoms:
F5OS does not send RADIUS Access-Request messages to a server specified as an IPv6 address. No messages are transmitted at all.

When attempting authentication against SSH, log messages similar to the following are in /var/log/secure:

sshd[30736]: pam_radius_auth: Failed looking up IP address for RADIUS server [2001:db8::1] (errcode=9)

Conditions:
F5OS remote authentication configured with a server defined by IPv6 address.

Impact:
F5OS remote authentication does not work.

Workaround:
Reference the RADIUS server by DNS hostname rather than IP address.

Important: The DNS hostname should only only resolve to IPv6 addresses, and not also be associated with an IPv4 address; for more information, refer to ID1975245: https://cdn.f5.com/product/bugtracker/ID1975245.html

1975245-1 : In IPv6-only environment, remote authentication using RADIUS server by hostname may not work

Links to More Info: BT1975245

Component: F5OS-A

Symptoms:
F5OS remote authentication does not work. Administrator can observe F5OS performing DNS resolution of the configured RADIUS server, but F5OS never transmits RADIUS Access-Request packets to the server.

Conditions:
- F5OS host is configured with only an IPv6 management IP address.
- RADIUS remote authentication configured with a RADIUS server specified via hostname.
- RADIUS server hostname has both IPv4 and IPv6 addresses (i.e. both A and AAAA records in DNS)

Impact:
Remote authentication does not work.

Workaround:
Create a separate hostname for the RADIUS server that only resolves to an IPv6 address.

1972357-3 : BIG-IP Tenant's VM will be patched/relaunched everytime after system reboot/upgrade/failover/TPOB restart

Links to More Info: BT1972357

Component: F5OS-A

Symptoms:
After upgrading from F5OS v1.6.1/1.7.0 to v1.8.x, tenant VMs were being unnecessarily patched and recreated, VM patches also not being properly applied.

Conditions:
- System upgraded from F5OS-C v1.6.1 or v1.7.0 to v1.8.x.
- System reboot, failover, or TPOB restart occurs.

Impact:
Tenant VMs were being unnecessarily patched and relaunched after every reboot.

Workaround:
None. Recommended to upgrade to F5OS-C v1.8.3 which includes this fix.

Fix:
These changes prevent unnecessary VM patching and recreation after system upgrades, reboots, or TPOB restarts while ensuring legitimate patches are properly applied.

1968289-3 : Confd.smp memory consumption spikes high with snmpEnableAuthenTraps enabled

Links to More Info: BT1968289

Component: F5OS-A

Symptoms:
When config-restore is performed on a RMA system, with the configuration of SNMPv3 users and targets and snmpEnableAuthenTraps enabled, observed confd.smp process memory spikes increase and causes OOM after system reboot.

Conditions:
Restoring the configuration onto an RMA replacement system.

Impact:
Confd's RSS memory begins to grow rapidly and causes restart of ConfD process.

Workaround:
The available workarounds,

1. After performing config-restore on a RMA system, disable snmpEnableAuthenTraps

2. Reset all SNMPv3 users and passwords right after performing config-restore.

Fix:
Disabling snmpEnableAuthenTraps when the engine-id of the database backup and the system engine-id. This will prevent confd.smp process memory hike in case of any sudden reboot of the system.

User can reconfigure the snmpEnableAuthenTraps after reseting the SNMPv3 users authentication and privacy password.

1962741-2 : CVE-2023-31436: kernel: out-of-bounds write in qfq_change_class function

Links to More Info: K000152785

1959845-4 : CVE-2022-48340: glusterfs: heap use-after-free in dht_setxattr_mds_cbk() in dht-common.c

Component: F5OS-A

Symptoms:
A flaw was found in Gluster, where GlusterFS is vulnerable to a denial of service caused by an xlators/cluster/dht/src/dht-common.c dht_setxattr_mds_cbk use-after-free. By sending a specially-crafted request, a remote attacker can cause a denial of service.

Conditions:
NA

Impact:
Clients may experience service interruption or unexpected termination of GlusterFS in certain operating scenarios.

Workaround:
NA

Fix:
This issue has been addressed with a fix

1959817-1 : Qkview-collect crashes while collecting a QKView

Component: F5OS-A

Symptoms:
Qkview-collect may crash when collecting a QKView.

Conditions:
This happens intermittently when collecting a QKView.

Impact:
Unable to collect a QKView.

Workaround:
None

1953653-3 : cve-2022-27406: Freetype: Segmentation violation via FT_Request_Size

Links to More Info: K000141126, BT1953653

1934005-1 : Infrequent and uneven traffic to front panel LAGs can lead to premature aging of L2 events

Links to More Info: BT1934005

Component: F5OS-A

Symptoms:
For front panel LAGs on rSeries which span FPGAs (1.0/11.0, 2.0/12.0, etc) infrequent traffic which is not evenly distributed across the LAG members can lead to premature aging of L2 entries.

Conditions:
- r10000 or r12000-series appliance
- LAG members spanning FPGAs and minimal incoming traffic on the LAG can cause premature aging of L2 entries when the traffic isn't evenly distributed among LAG members.

Impact:
Missing L2 entries can cause excessive DLFs until the MAC address is re-learned.

Workaround:
Re-configure the LAG members such that they connect to the same FPGA (1.0/2.0, 11.0/12.0). Interfaces 1.0 through 10.0 are on one FPGA, and interfaces 11.0 through 20.0 are on the other FPGA.

Fix:
Ensure L2 age events are handled for all LAG members.

1933645-1 : GUI immediately logs user off with "User Session Terminated" error and "validator" process cores

Links to More Info: BT1933645

Component: F5OS-A

Symptoms:
After logging into the device, the GUI immediately reports "User Session Terminated. You will be logged out of the application."

Core files generated from the "validator" process in the confd container (system_manager, vcc-confd, or partition<X>_manager).

Conditions:
Trying to login to the GUI, and the "limited" group is missing from /etc/group.

The "limited" group is an internal role that should always be defined and cannot be deleted by a user. The most likely reason for it to be missing is https://cdn.f5.com/product/bugtracker/ID1858617.html

Impact:
Users are not able to access the GUI.

Workaround:
Apply a workaround for https://cdn.f5.com/product/bugtracker/ID1858617.html

Fix:
Even if the "limited" group goes missing, users should still be able to access the GUI.

1929309 : CVE-2019-14834-Dnsmasq vulnerability

Links to More Info: K000152048, BT1929309

1928829-3 : Egress traffic is being dropped by upstream switch following a reboot of rSeries.

Links to More Info: BT1928829

Component: F5OS-A

Symptoms:
Intermittently observed egress packets sent from the rSeries device through a specific port are discarded by the adjacent device.

Conditions:
- r5000, r10000, or r12000-series appliance
- Intermittently occurs when a link is brought up during boot, for instance after multiple reboot attempts.

Impact:
Traffic on the affected port is completely dropped when the system comes up after a reboot. This includes the failure of all Layer 2 (L2) protocols, such as LACP, STP, and LLDP, along with tenant traffic.

Workaround:
An additional reboot helps to recover the system.

1926585-1 : High memory utilization by NetworkManager★

Links to More Info: BT1926585

Component: F5OS-A

Symptoms:
After a VELOS system controller, blade, or rSeries appliance has been running for several hundred days, the NetworkManager service may start leaking memory. This will eventually result in system instability including a failover between system controllers, or instability to tenants.

Log messages similar to the following occurring in /var/log/messages or the systemd journal:

controller-2.chassis.local NetworkManager[180091]: gsignal.c:2642: instance '0x564069a2be40' has no handler with id '34120'

Prior to these log messages being generated, there is no way to tell if the issue is close to occurring.

Conditions:
The NetworkManager service has been running for a substantial period of time (i.e. more than 500 days).

Impact:
NetworkManager service utilizes high memory in the system, which leads to controller failover.

Workaround:
Restart NetworkManager by logging in to the appropriate device as root (system controller, blade, or appliance) and running the command "systemctl restart NetworkManager".

1926489-1 : L2 Port motion events are not generated for certain port combinations on r10k.

Links to More Info: BT1926489

Component: F5OS-A

Symptoms:
Missing port-motion events between interfaces on r10k platform can result in missing L2 entries.

Conditions:
Port-motion between the following sets of ports on the r10k appliance:

1.0, 11.0, 12.0
2.0, 11.0, 12.0
11.0, 1.0, 2.0
12.0, 1.0, 2.0

3.0, 13.0, 17.0
7.0, 13.0, 17.0
13.0, 3.0, 7.0
17.0, 3.0, 7.0

4.0, 14.0, 18.0
8.0, 14.0, 18.0
14.0, 4.0, 8.0
18.0, 4.0, 8.0

5.0, 15.0, 19.0
9.0, 15.0, 19.0
15.0, 5.0, 9.0
19.0, 5.0, 9.0

6.0, 16.0, 20.0
10.0, 16.0, 20.0
16.0, 6.0, 10.0
20.0, 6.0, 10.0

Impact:
Missing port-motion causes missing L2 entries, resulting in excessive DLFs.

Workaround:
Ensure that ports used in redundancy configurations are not in the same set of affected ports listed above.

Fix:
Configure the L2 FDB table so port-motion is detected between the affected sets of ports.

1891301-3 : CVE 2020-27743: pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes().

Component: F5OS-A

Symptoms:
libtac in pam_tacplus through 1.5.1 lacks a check for a failure of RAND_bytes()/RAND_pseudo_bytes(). This could lead to use of a non-random/predictable session_id.

Conditions:
The current version pam_tacplus from version 1.6.0 doesn't have the fix as this was added in version 1.6.1 source package.

Impact:
This could lead to use of a non-random/predictable session_id which means an adversary could gain access.

Workaround:
N/A

Fix:
By updating the pam_tacplus source code to 1.7.0 where the vulnerability was fixed in 1.6.1, the new code does not have this issue.

1890297-2 : Memory leak in l2_agent daemon on F5OS

Links to More Info: BT1890297

Component: F5OS-A

Symptoms:
- Large memory consumption by the l2_agent.
- Tenant disruption on F5 rSeries appliance.

Conditions:
- An F5OS system with SNMP configured and a LAG (Link Aggregation Group) with more than 1 member.

- SNMP monitoring in use.

We can check the l2_agent memory consumption by using `top` command.

Ex: Top output showed a 15GB l2_agent process:

   PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
19454 root 20 0 17.3g 14.9g 1788 S 0.0 5.9 174:04.57 /confd/bin/l2_agent -s appliance-1

Impact:
Eventually the system experience OOM (Out of Memory).

On an F5 rSeries appliance, a tenant might experience disruptions and slowness, up to and including a TMM SIGABRT core.

Workaround:
None.

Fix:
The l2_agent process no longer leaks memory.

1858617-2 : Users unable to login after reboot with LDAP group configured★

Links to More Info: BT1858617

Component: F5OS-A

Symptoms:
- CLI/GUI access for all roles other than admin and root is denied

- The GUI permit user authentication and then immediately terminate the session; for more information, refer to https://cdn.f5.com/product/bugtracker/ID1933645.html.

- Repeated log messages from user-manager in platform.log / velos.log with an error of "Lost connection to ConfD" / "Socket to ConfD is closed":

user-manager[17]: priority="Err" version=1.0 msgid=0x6802000000000001 msg="cdb_get failed for" ATTRIBUTE="rolename" ERRNOSTR="Lost connection to ConfD" LASTERR="Socket to ConfD is closed" ERRNO=45.

Conditions:
- LDAP system authentication is enabled
- A LDAP group is defined for a role in the system
- Queries to the LDAP server take a long time, for example due to connection timeouts or LDAP referral chasing.

This issue can also occur when the system is rebooted if user-manager tries to perform LDAP queries before the management network is accessible.

Impact:
Users with roles other than admin and root cannot login using CLI or GUI

Workaround:
1. Restart the appropriate user-manager container (system_user_manager on rSeries appliances, controller-userman for VELOS system controllers, and partition<ID>_user_manager for VELOS partitions)

2. Disable LDAP system authentication or remove the LDAP group definitions, and then restart the user-manager container. This will restore connectivity for locally-defined users.

Fix:
Fix users unable to login after reboot with LDAP group configured

1857245-1 : CVE-2025-22869 - SSH file-transfer servers vulnerable to Denial of Service via slow key exchange

Component: F5OS-A

Symptoms:
A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.

Conditions:
The SSH server implementation must support file transfer protocols over golang.org/x/crypto/ssh < 0.35.0

Impact:
DoS: the server’s memory or other resources may be exhausted, making it unavailable to legitimate users.

Workaround:
NA

Fix:
The vulnerability is fixed in golang.org/x/crypto/ssh v0.35.0 and above.

1857197-2 : CVE-2025-22869 - SSH file-transfer servers vulnerable to Denial of Service via slow key exchange

Component: F5OS-A

Symptoms:
A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.

Conditions:
The SSH server implementation must support file transfer protocols over golang.org/x/crypto/ssh < 0.35.0

Impact:
DoS: the server’s memory or other resources may be exhausted, making it unavailable to legitimate users.

Workaround:
NA

Fix:
The vulnerability is fixed in golang.org/x/crypto/ssh v0.35.0 and above.

1857077-1 : CVE-2025-22869 - SSH file-transfer servers vulnerable to Denial of Service via slow key exchange

Component: F5OS-A

Symptoms:
A flaw was found in the golang.org/x/crypto/ssh package. SSH clients and servers are vulnerable to increased resource consumption, possibly leading to memory exhaustion and a DoS. This can occur during key exchange when the other party is slow to respond during key exchange.

Conditions:
The SSH server implementation must support file transfer protocols over golang.org/x/crypto/ssh < 0.35.0

Impact:
DoS: the server’s memory or other resources may be exhausted, making it unavailable to legitimate users.

Workaround:
NA

Fix:
The vulnerability is fixed in golang.org/x/crypto/ssh v0.35.0 and above.

1857001-1 : CVE-2025-27152: axios vulnerability

Component: F5OS-A

Symptoms:
When passing absolute URLs to axios, even if ⁠baseURL is set, axios sends the request to the specified absolute URL, potentially causing SSRF and credential leakage.

Conditions:
When passing absolute URLs to axios.

Impact:
Affected code is in our product but cannot be exploited in any normal configuration

Workaround:
N/A

Fix:
Upgraded axios to a non-vulnerable version.

1824213-4 : CVE-2025-0395: glibc: buffer overflow in the GNU C Library's assert()

Links to More Info: K000151474

1814053-3 : Orchestration Agent process may core

Links to More Info: K000151718, BT1814053

1814045-3 : Daemons that handle ZMQ messages may crash under certain conditions.

Links to More Info: K000151718, BT1814045

1813929 : Insufficient memory on node, retrying tenant deployment★

Links to More Info: BT1813929

Component: F5OS-A

Symptoms:
A tenant fails to deploy.

The output of the 'show tenant' command:
INSTANCE TENANT CREATION READY MGMT
NODE POD NAME ID SLOT PHASE TIME TIME STATUS MAC
------------------------------------------------------------------------------------------------------------------------------
1 tenant-1 1 1 Insufficient memory on node, retrying tenant deployment -


Errors in platform.log:
2024-12-21T16:19:02.370251+08:00 TENANT-1 orchestration-agent[7]: priority="Err" version=1.0 msgid=0x506000000000042 msg="Failed to allocate memory for tenant" TENANT="tenant-1" node=1.
2024-12-21T16:19:35.547187+08:00 TENANT-1 orchestration-agent[7]: priority="Err" version=1.0 msgid=0x507000000000004 msg="Unable to fetch VFs pci address from filesystem".
2024-12-21T16:19:40.757952+08:00 TENANT-1 orchestration-agent[7]: priority="Info" version=1.0 msgid=0x507000000000006 msg="SR-IOV DP pod is at running/ready state, able to access VFs".
2024-12-21T16:20:12.814467+08:00 TENANT-1 orchestration-agent[7]: priority="Err" version=1.0 msgid=0x506000000000040 msg="Timeout waiting for response from NodeAgent" TENANT="tenant-1" NODE=1.
2024-12-21T16:20:12.814506+08:00 TENANT-1 orchestration-agent[7]: priority="Err" version=1.0 msgid=0x506000000000042 msg="Failed to allocate memory for tenant" TENANT="tenant-1" node=1.

Conditions:
Exact conditions are unknown. It has been observed after upgrading from F5OS 1.5.2 to 1.8.0.

Impact:
Tenants will not start. The GUI reports "Insufficient memory on node, retrying tenant deployment".

Workaround:
None

1812541-1 : DDM system alarms triggered when interface is disabled

Links to More Info: K000150155, BT1812541

Component: F5OS-A

Symptoms:
Running 'show system alarms' reports "Portgroup <N> ERROR Lanes: 1 Transmitter power low alarm"

Conditions:
Disabling an interface locally

Impact:
Transmitter power low and transmitter bias low alarms occur.

Workaround:
To clear the alarms, workaround provided in article K000150155 can be followed.

1812497-4 : Restoring a backup with an SNMP user on a system with a different SNMP Engine ID will duplicate the SNMP user

Links to More Info: BT1812497

Component: F5OS-A

Symptoms:
If you restore a backup containing an SNMP user, but the SNMP user’s SNMP Engine ID does not match the current system, a new SNMP user will be created with the same name and the current system’s SNMP Engine ID. However, this is only seen when the database is later backed up.

Conditions:
-- Restoring a database backup that contains an SNMP user.
-- Doing the restore on a system with a different SNMP Engine ID.

Impact:
Two SNMP users with the same name (but different SNMP Engine IDs) are saved to subsequent backups. SNMP will not work.

Workaround:
Reconfigure the SNMP user authentication and privacy passwords after restoring the backup. SNMP will work after configuring passwords.

Fix:
When backup is restored on a system with a different EngineID, SNMP might not work for SNMP users. However, it can be mitigated by reconfiguring the SNMP user authentication and privacy passwords after restoring the backup.

1789141-3 : If 'ldap-group is configured for a role but LDAP search fails, users with the default GID for the role can still get those privileges

Component: F5OS-A

Symptoms:
When an 'ldap-group' mapping is configured for a F5OS role, and the mapping fails (because the filter is invalid or the LDAP query of remote groups fails for some other reason), the default mapping for the role (or, what is configured in 'remote-gid' for the role) is still used.

For example, if you were attempting to map the F5OS role 'admin' (default GID 9000) to an LDAP group 'CN=my-ldapgroup', and the LDAP search for that group failed (because the provided filter was invalid, the group does not exist, etc.), users with GID 9000 would still be able to authenticate and login with 'admin' privileges.

Conditions:
1. LDAP authentication is enabled.
2. A role mapping is applied via the 'ldap-group' configuration for a F5OS role.
3. The provided 'ldap-group' filter is invalid or another unexpected issue is encountered when querying the LDAP server.

Impact:
Users can login with privileges in excess of what one might expect given the system configuration.

Workaround:
If the LDAP group/users have Posix attributes ('gidNumber'), it is possible to map the F5OS role using this GID number by specifying it in the 'remote-gid' configuration under the role.

If this is not feasible, it is possible to directly validate the 'ldap-group' mapping was successful by inspecting this file from a bash shell:

[root@appliance-1(test):Active] ~ # cat /etc/ldap-gid-map.txt
1108:=9000

If there is an entry that has the default GID for the role on the right-hand side of ':=' in this file, it means the mapping was applied successfully and users with the default or 'remote-gid' GID will not be able to obtain the role permissions. If such an entry is missing, you will need to fix the 'ldap-group' filter so an LDAP query of the group can be successful.

Fix:
If a configured 'ldap-group' mapping fails, deny all role-based access for the mapped role until it is fixed or de-configured.

1789117-2 : SNMP bulk queries for LAGs on VELOS might return incomplete information

Links to More Info: BT1789117

Component: F5OS-A

Symptoms:
SNMP queries for interface statistics for a LAG might return incomplete information

Conditions:
- VELOS partition
- Querying SNMP for LAGs
- The LAG contains multiple members
- The SNMP client is issuing bulk SNMP queries
- The SNMP client queries for the first member of the LAG, skips another member of the LAG, and then queries information for the LAG

Impact:
The SNMP statistics reported by the VELOS system could possibly return incomplete information (failing to include statistics from one or more of the members of the LAG).

Workaround:
None

Fix:
The system will now correctly report SNMP statistics for LAGs.

1783685-1 : ATSE Datapath lockup on HBM calibration issue

Links to More Info: BT1783685

Component: F5OS-A

Symptoms:
Datapath lockup in the ATSE FPGA. Can be seen at startup with no traffic received at the host, or some time after startup with packet framing errors.

This can also show up as a transmit packet path lockup because health check loopback packets can back up into the transmit datapath and block it.

Conditions:
No known conditions.

Impact:
The impact is no packets can get from the network to host for processing.

Workaround:
The datapath lockup requires a reload of the ATSE FPGA. Reload typically done by rebooting the system.

This issue has been fixed in ATSE bitfiles v72.5.8.00 and v72.41.8.0 and all newer bitfiles.

Fix:
The issue is an FPGA memory reset procedure. The HBM memory inside the ATSE FPGA has a very specific bringup procedure. There was an issue with the initial implementation of that procedure.

1782925-4 : Active Directory LDAP integration without uidNumber/gidNumber does not work after system reboot

Links to More Info: BT1782925

Component: F5OS-A

Symptoms:
After an rSeries appliance reboot, Active Directory LDAP authentication configured with "Unix Attributes" set to false does not work and users from Active Directory are unable to authenticate with the F5OS system.

There will be messages similar to the following logged in platform.log shortly after the reboot:

authd[8]: priority="Err" version=1.0 msgid=0x3901000000000101 msg="LDAP API error during : -" oper="SASL bind" code=-1 msg="Can't contact LDAP server".
authd[8]: priority="Warn" version=1.0 msgid=0x3901000000000098 msg="Unable to retrieve domain Sid for supplied servers and domains; server will be treated as if it has unix attributes present.".

Conditions:
- F5OS device configured with Active Directory LDAP authentication, and the "Unix Attributes" setting configured as false.
- System reboots

Impact:
LDAP remote authentication does not work.

Workaround:
To workaround this issue on an rSeries appliance, create a cron task to restart the system_user_manager and authentication-mgr docker containers after a system reboot:

1. Log into the system as root and create /etc/cron.d/ldap-post-reboot with these contents (not including the '==='):
===
# Workaround for post-reboot issue with LDAP auth (ID1782925)
#
# In the the first five minutes after the system reboots, assume the first
# instance of the following log message that we see is a result of the management
# port lack of connectivity when the docker containers start up, and restart both
# system_user_manager and authentication-mgr once.
#
# authd[8]: priority="Err" version=1.0 msgid=0x3901000000000101 msg="LDAP API error during : -" oper="SASL bind" code=-1 msg="Can't contact LDAP server".

@reboot root timeout 5m sh -c 'tail -n0 -F /var/F5/system/log/platform.log | grep -a -m1 authd.*0x3901000000000101 && sleep 20s && echo Restarting authd and user-manager && docker restart system_user_manager authentication-mgr' || echo "Timed out"
===

This mitigation may fail under some corner cases, e.g. potentially after an upgrade or if something goes wrong with the platform services such that they don't start up within the first five minutes after system boot. In those circumstances, log into the system as root and restart the system_user_manager and authentication-mgr containers:

    docker restart system_user_manager authentication-mgr

1782497-2 : CVE-2022-41723 - specially crafted HTTP/2 stream could cause excessive CPU usage in the HPACK decoder

Component: F5OS-A

Symptoms:
A malicious HTTP/2 stream can cause excessive CPU usage on the server, due to expensive HPACK decoding operations.

Conditions:
Golang < 1.19.6

Impact:
Denial of Service, availability is affected

Workaround:
NA

Fix:
The vulnerability is fixed in golang 1.20.0 and above.

1780721-1 : CVE-2022-41723 - specially crafted HTTP/2 stream could cause excessive CPU usage in the HPACK decoder

Component: F5OS-A

Symptoms:
A malicious HTTP/2 stream can cause excessive CPU usage on the server, due to expensive HPACK decoding operations.

Conditions:
Golang < 1.19.6

Impact:
Denial of Service, availability is affected

Workaround:
NA

Fix:
The vulnerability is fixed in golang 1.20.0 and above.

1780617-1 : CVE-2023-45288 - HTTP/2 endpoint excessive header reading via CONTINUATION frames

Links to More Info: K000148640

1779677-3 : Multiple docker containers can get assigned the same bridge IP during rolling upgrade

Links to More Info: BT1779677

Component: F5OS-A

Symptoms:
Multiple containers can get the same bridge IP during a rolling upgrade or docker restart

[root@controller-2 ~]# docker inspect controller-services-registry-2502 | grep IPAddress
            "SecondaryIPAddresses": null,
            "IPAddress": "100.64.0.2",
                    "IPAddress": "100.64.0.2",
[root@controller-2 ~]# docker inspect partition-services-registry-2202 | grep IPAddress
            "SecondaryIPAddresses": null,
            "IPAddress": "100.64.0.2",
                    "IPAddress": "100.64.0.2",

There's a race in IP address allocation in Docker.

Conditions:
When multiple containers start at the same time.

Impact:
This causes one of the two containers to answer requests depending on which container last refreshed the arp cache.
The other container does not work properly.

Workaround:
Reboot the system.

Fix:
Docker address allocator uses bit map to manage IP address pool but it's not thread safe.

Now, set/unset bitmap operations are protected by a lock.

1779289-6 : Error when creating a server-group name with an embedded space

Links to More Info: BT1779289

Component: F5OS-A

Symptoms:
An error log inside 'platform.log' for the rSeries systems or 'velos.log' in the VELOS systems when you configure a server-group name with an embedded space.

In velos.log on F5OS-C or platform.log on F5OS-A:

appliance-1 authd[8]: priority="Err" version=1.0 msgid=0x3901000000000109 msg="Failed to set element in cdb." path="/system/aaa/server-groups/server-group" error="Bad key "my server group" (wrong number of identifiers) at: /system/aaa/server-groups/server-group" errno="Exec format error".

Conditions:
Creating a server-group name with an embedded space.
Example: my server group

Impact:
The configuration change will not take an effect.

Workaround:
Remove all spaces from the server-group name. For example, if the server-group name with a space was 'my server group', you can rename it into 'my_server_group' and re-configure the rest of the values.


appliance-1(config)# system aaa server-groups server-group my_server_group config name my_server_group

appliance-1(config)#commit

Fix:
Avoid embedded spaces when you create server-group names.

1757617-1 : XBAR rate limit not updated when modifying LAG

Links to More Info: BT1757617

Component: F5OS-A

Symptoms:
Traffic performance may be degraded.

Conditions:
Add or remove a LAG member when the total speed is less than 100G.

Impact:
Degraded performance.

Workaround:
Disable and re-enable an interface.

1757461-1 : ConfD encryption key is recreated when there is an error reading it from the hardware TPM

Links to More Info: BT1757461

Component: F5OS-A

Symptoms:
F5OS stores the encryption key in the hardware TPM module. This is used to encrypt and decrypt sensitive data in the database, and is read at system startup and periodically during normal execution (during "key migrations"). If there is an issue reading the key from the TPM, a new key will be generated and store it in the TPM.

The problem is that the database is still encrypted using the old key, and as soon as the system restarts it will run into errors when attempting to decrypt using the new key.

Conditions:
Issue is observed intermittently when TPM module encounters ownership contention.

Impact:
System encryption key gets corrupted.

Workaround:
None

Fix:
The symptom causing the tpm ownership has been fixed and removed unnecessary ownership calls.

1754097-1 : rSeries ATSE v72.41.6.00 firmware

Links to More Info: BT1754097

Component: F5OS-A

Symptoms:
rSeries ATSE v72.41.6.00 firmware

Conditions:
rSeries r5000, r10000, or r12000-series appliance.

This update is not applicable to r2000 or r4000-series appliances.

Impact:
None

Workaround:
None

Fix:
Fixes ATSE receive lockup issue.

1753469-3 : Add notification to set-version when downgrading the system from F5OS-A/C-1.8.0

Links to More Info: BT1753469

Component: F5OS-A

Symptoms:
A downgrade to an earlier version of F5OS from F5OS-A/C 1.8.0 can leave the system inoperable. Refer to ID1712009 for more information.

Conditions:
Perform a config-restore or config reset-to-default operation to an earlier version of F5OS.

Impact:
A downgraded system may be inoperable.

Workaround:
Refer to ID1712009 for workaround.

Fix:
There is an issue with performing a config-restore after downgrading from F5OS-A/C 1.8.0 (ID1712009). If you intend to perform a config-restore or config reset-to-default operation, please refer to the F5OS-A/C 1.8.0 release notes for information on avoiding this issue.

1730833-1 : Tmm may egress broadcast traffic even when VLANs are disabled in F5OS

Links to More Info: BT1730833

Component: F5OS-A

Symptoms:
In certain scenarios such as restoring a UCS on an F5OS tenant, if the VLANs in F5OS are disabled, tmm may egress broadcast traffic such as gratuitous ARPs onto the disabled VLANs.

Conditions:
-- An F5OS tenant where VLANs were assigned and then removed.
-- An F5OS tenant where tmm is not in forced-offline mode.
-- An action occurs on the tenant (such as restoring a UCS or restarting tmm, or loading the config) that results in gratuitous ARPs.

Impact:
This could cause IP address conflicts on the network or other issues related to unexpected broadcast traffic such as gratuitous ARPs on the network.

Workaround:
- In F5OS, remove the affected VLANs from the LAG or interface.

- On the tenant use forced offline to prevent traffic egress.

- If you are restoring a UCS from another BIG-IP such as for a platform migration, put the source BIG-IP into forcedoffline state before taking the UCS.

- delete the tenant, and recreate without any VLANs assigned.

Fix:
A single tenant with a vlan that was configured and then removed via F5OS will no longer leak broadcast traffic onto the network on the removed vlan.

This fix does not address the issue when multiple tenants are attached to the same vlan. F5 has created ID1758957 for that issue.

1713485-1 : RSeries ATSE v72.5.6.00 firmware

Links to More Info: BT1713485

Component: F5OS-A

Symptoms:
RSeries ATSE v72.5.6.00 firmware

Conditions:
RSeries r5000, r10000, or r12000-series appliance.

This update is not applicable to r2000 or r4000-series appliances.

Impact:
NA

Workaround:
None

Fix:
Fixes ATSE receive lockup issue.

1713073-4 : F5OS rSeries spontaneous reboot after upgrade★

Links to More Info: K000148566, BT1713073

Component: F5OS-A

Symptoms:
After upgrading, the device reboots unexpectedly.

Pel logs have this signature:
11/05/2024 21:24:47 | 5753 | AOM | 255 | Network Access | 0 | CPU internal error event
11/05/2024 21:24:47 | 5754 | AOM | 255 | Network Access | 5 | ME PECI is not functional, resetting host
11/05/2024 21:24:47 | 5755 | AOM | 255 | Network Access | 5 | ... reason: 0xFF ME IPMI 'other error'
11/05/2024 21:24:47 | 5756 | AOM | 255 | Network Access | 6 | lop host reset event

Conditions:
-- rSeries 5xxx, 10xxx, 12xxx system
-- Upgrade to version 1.8.0 build 16036

Impact:
Spontaneous system restart could occur.

Workaround:
A BIOS change occurred in the F5OS 1.8.0 build 16036 upgrade that enables CMS ENABLE DRAM PM. Disabling it will mitigate this.

For instructions on how to perform this procedure, see K000148566: F5 rSeries systems may silently reboot after upgrading to F5OS-A 1.8.0 at https://my.f5.com/manage/s/article/K000148566.

Fix:
Fixes introduced in F5OS-A-1.8.0-17564.R5R10.EHF-1.iso

1709121-3 : Unable to create a tenant as the Network Manager start-up or failover may result in a looping process

Links to More Info: BT1709121

Component: F5OS-A

Symptoms:
While creating a new tenant, an error occurs:

"Failure for data/f5-tenants:tenants API. The server or an underlying service is unreachable."

The network-manager service seems to hang, or it might be in a restart loop.

In confd, the 'show system mac-allocation state' command indicates that no MAC addresses have been allocated.

$ show system mac-allocation state
system mac-allocation state free-single-macs 16
system mac-allocation state allocated-single-macs 0
system mac-allocation state free-large-blocks 2
system mac-allocation state allocated-large-blocks 0
system mac-allocation state free-medium-blocks 0
system mac-allocation state allocated-medium-blocks 0
system mac-allocation state free-small-blocks 0
system mac-allocation state allocated-small-blocks 0
system mac-allocation state total-free-mac-count 80
system mac-allocation state total-allocated-mac-count 0 <---
system mac-allocation state total-mac-count 80

Conditions:
This can occur with combinations of tenants using MAC blocks greater the size 1. The specific combinations are somewhat unpredictable.

Impact:
Tenants cannot be created.

Workaround:
None

Fix:
The code will be updated to prevent the hang condition.

1697237-2 : Partition volumes IMAGES, shared are not present in partition snmpwalk output. in hrStorageDescr in HOST-RESOURCES-MIB

Links to More Info: BT1697237

Component: F5OS-A

Symptoms:
SNMP get fails to display the HOST-RESOURCES-MIB details for the partition's volumes IMAGES.

Conditions:
Snmpwalk is performed on the Chassis Partition.

Impact:
HOST-RESOURCES-MIB information is not included in snmp get output.

Workaround:
None

Fix:
Corrected the regex used to collect the Partition's volumes image details.

1697197-1 : Memory leak in tcpdumpd_manager, when doing tenant's VLAN configuration change

Component: F5OS-A

Symptoms:
Observe memory leak in the tcpdumpd_manager, when doing tenant's VLAN configuration changes.

Conditions:
When Tcpdumpd_manager docker container is running, performing any kind of tenant's VLAN configuration changes will cause memory leak.

Impact:
Memory leak.

Workaround:
None.

1695549-2 : CVE-2024-23599: Race condition in Seamless Firmware Updates

Links to More Info: K000141500

1694481-3 : K3s token expiry causing tenant unresponsiveness

Links to More Info: BT1694481

Component: F5OS-A

Symptoms:
Expiry of service account token inside multus pod causes tenant startup to fail.

Tenant fails to deploy and the tenant status ('show tenants') reads:

Not ready: containers with unready status: [compute]

There are numerous entries similar to the following in /var/log/messages:

"Unable to authenticate the request" err="[invalid bearer token, Token has expired.]"

Note: Tenant will only be impacted if/after it is changed to configured or provisioned and then it is deployed again.

Conditions:
-- Multus.kubeconfig is not recreated or updated when the service account token in /var/run/secrets/kubernetes.io/serviceaccount/token is renewed.
-- Even though the token is renewed, the token is still valid for a year in multus.kubeconfig

Impact:
After one year, token in the multus.kubeconfig becomes stale (expired). As a result, when Multus tries to access the Kubernetes API server using the stale token in the multus.kubeconfig, it may fail with authentication errors because the token is no longer valid.

Workaround:
Workaround(1):
Impact of procedure: Performing the following procedure should not have a negative impact on your system.

Delete the multus pod by logging into the system as root and running the following command:

kubectl -n kube-system delete pod -l app=multus

The system will delete the running pod and create a new one. This will refresh the token for the next one year.

Workaround(2):
Impact of procedure: Tenants will be temporarily unavailable during this process.

Rebooting the device will refresh the token.

Fix:
None

1692837 : CVE-2024-21781: Intel BIOS vulnerability

Links to More Info: K000141509

1691557-5 : CVE-2020-8037: tcpdump memory leak.

Links to More Info: K000149929

1679941-4 : "gen error" while running snmpget/snmpbulkget commands

Links to More Info: BT1679941

Component: F5OS-A

Symptoms:
Triggered shell script which does the snmpget/snmpbulkget in a loop with 50sec delay in each loop reports genError for hrStorageAllocationunits

Conditions:
Snmpwalk is fetching the value for any index. No validation for the key passed.

Impact:
Some OIDs report an error, for example

Error in packet
Reason: (genError) A general failure occured
Failed object: HOST-RESOURCES-MIB::hrStorageAllocationUnits.131080

Workaround:
None

Fix:
Need to validate the index/key

1677249-5 : CVE-2024-6232: python: cpython: tarfile: ReDos via excessive backtracking while parsing header values

Links to More Info: K000148252

1673925-2 : Missing masquerade MAC FDB entry causes excessive DLFs following tenant failover.

Links to More Info: BT1673925

Component: F5OS-A

Symptoms:
The FDB entry for the tenants masquerade MAC is missing from a blades internal L2 table after a tenant failover.

The output of

[root@blade-1 ~]# docker exec -i partition_fpga tmctl -d blade -w 180 nse_l2 -s mac,l2_tag
mac l2_tag
--- ------

[root@blade-1 ~]

where MAC and L2_tag match the masquerade MAC and VLAN from the output of 'show FDB'

Conditions:
During tenant failover, the system will delete the masquerade MAC from the old active and add it to the new active. In parallel, the system will detect a port-motion event when the tenant issues a GARP for the new MAC.

This introduces a race condition between the static ADD from the system and the dynamic port-motion event from the H/W. If the port-motion event is processed last, the new static entry can be deleted erroneously.

Impact:
All front-panel traffic towards the tenant will encounter a DLF, causing excessive DLF traffic to the tenant.

Workaround:
From the tenant, remove and then re-add the masquerade MAC to the traffic group.

Fix:
For port-motion events, don't delete the existing entry if it's a static system entry.

1673265-5 : RADIUS remote auth on F5OS may not use system management IP as NAS IP address

Links to More Info: BT1673265

Component: F5OS-A

Symptoms:
An F5OS appliance does not use the management IP as the NAS-IP-Address or NAS-IPv6-Address in RADIUS authentication messages, or uses a stale/out-of-date management IP address.

Conditions:
- An F5OS system configured for RADIUS remote authentication
- The F5OS host is configured to use DHCP for assignment of its management IP, or an administrator changes the management IP addresses without rebooting the system.

Impact:
RADIUS messages sent to servers contain an incorrect NAS IP address.

Workaround:
None

Fix:
F5OS will now use the correct management IP address for the NAS-IP-Address / NAS-IPv6-Address attribute.

1671629-2 : [rSeries r2000/r4000] After F5OS reboot, tenant interfaces might be in UNINITIALIZED state

Links to More Info: BT1671629

Component: F5OS-A

Symptoms:
- After F5OS reboot, tenant interfaces might be in UNINITIALIZED state.
- Logs from tenant (/var/log/ltm) will show platform_agent receiving blank VLAN names. Example below where vlan id is 1234 (correct) but vlan name is blank (incorrect):

info platform_agent[7810]: 01e10007:6: vlan id = 1234vlan name = interface name = 1.3

Conditions:
- Rebooting F5OS
- rSeries r2000/r4000

Impact:
Traffic disruption. Since tenants interfaces will be UNINITIALIZED, the tenant will not be passing traffic.

Workaround:
- Remove all the VLANs from the interface (where VLAN names are missing) and re-attach the VLANs. This is to be done from F5OS side.
- Rebooting again is also known to resolve the problem (as this is a timing issue on reboot and does not happen frequently)

1671517 : WebUI Dashboard Memory & Storage Statistics are inaccurate and misleading

Links to More Info: BT1671517

Component: F5OS-A

Symptoms:
The webUI Dashboard for rSeries and VELOS devices provides inaccurate details about memory and storage utilization for the device.

Conditions:
Any device that is running a F5OS-A or F5OS-C version older than v1.8.0.

Impact:
Graphical representation on the webUI Dashboard for memory and storage utilization for the device is inaccurate.

Workaround:
Upgrading a device to F5OS v1.8 or greater resolves the issues.

Fix:
ID1233865 and ID1211233-4 both address the underlying issues of inaccurate storage and memory utilization reporting for the platforms. They have both been fixed for F5OS v1.8.0 in addition to ID1671517 that corresponds to the associated webUI changes and improvements.

1671133-3 : kernel: new DNS Cache Poisoning Attack based on ICMP fragment needed packets replies

Component: F5OS-A

Symptoms:
Use of Insufficiently Random Values

Conditions:
if icmp redirection are enabled.

Impact:
This flaw allows an off-path remote user to effectively bypassing source port UDP randomization.

Workaround:
Fixed in 1.8.4

Fix:
Fixed in 1.8.4

1660961-5 : Active Directory LDAP integration without uidNumber/gidNumber does not work with LDAP over TLS

Links to More Info: BT1660961

Component: F5OS-A

Symptoms:
Configuring an F5OS device to integrate with Active Directory using group names to map to roles rather than requiring unix attributes (uidNumber/gidNumber) in the directory will not work if the LDAP servers are configured to use encryption (TLS/SSL).

Log messages similar to the following in platform.log / velos.log:

authd[8]: priority="Err" version=1.0 msgid=0x3901000000000101 msg="LDAP API error during : -" oper="bind" code=-1 msg="Can't contact LDAP server".
authd[8]: priority="Warn" version=1.0 msgid=0x3901000000000098 msg="Unable to retrieve domain Sid for supplied servers and domains; server will be treated as if it has unix attributes present.".

Conditions:
- LDAP system authentication configured to authenticate against an Active Directory Server
- Under the system Authentication Settings configuration in the Common LDAP Configuration section, "Authenticate with Active Directory" set to True and "Unix Attributes" set to False
- LDAP group filters specified for one or more roles

Impact:
LDAP authentication functions based on unix attributes in the directory (uidNumber/gidNumber)

Workaround:
None

1644293-6 : Interface status alert and SNMP trap is not sent immediately after interface is disabled

Links to More Info: BT1644293

Component: F5OS-A

Symptoms:
When an interface is disabled, the alert or SNMP trap is not sent immediately.

Conditions:
-- Disable an interface.
-- R5000, R10000 and R12000 platforms
-- VELOS platform

Impact:
No alert or SNMP trap is sent when an interface is disabled. The trap is sent when the interface is re-enabled.

Workaround:
None

Fix:
Add a new "Interface disabled" event triggered when an interface is disabled. The "Interface up" and "Interface down" alerts changed to events.

Note : F5OS-A v1.8.3 is not affected by this bug.

1644221-1 : Log file grows to gigabytes (GBs) under /var/log

Links to More Info: BT1644221

Component: F5OS-A

Symptoms:
The default setting for logrotation on host-os is once per day. This can be troublesome if a problem arises and causes an excessive amount of log files to be generated. In such cases, the log files will grow to several GBs within a day.

Conditions:
If any service floods the logfiles under /var/log then file starts to grow in GBs.

Impact:
System disk gets full and becomes unusable.

Workaround:
None

Fix:
This issue has been fixed and the Log files will no longer grow in GBs.

1637529 : RSeries ATSE v72.41.5.00 firmware

Links to More Info: BT1637529

Component: F5OS-A

Symptoms:
RSeries ATSE v72.41.5.00 firmware

Conditions:
RSeries r5000, r10000, or r12000-series appliance.

This update is not applicable to r2000 or r4000-series appliances.

Impact:
Not applicable.

Workaround:
Not applicable.

Fix:
Fixes ATSE/BE2 interface stability issues. See ID1596625 for more information.