Hotfix Release Information

Version: BIG-IP-12.0.0
Build: 628.14
Hotfix Rollup: 1
Engineering Hotfix: 14

Cumulative fix details for BIG-IP v12.0.0 Hotfix 1, Engineering Hotfix 14 that are included in this release:

--------------------------------------------------------------------------------------

ID: 569467-3

Description: CVE-2016-2084 Cloud image vulnerability

Symptoms: There is an issue with regenerating certificates and keys when deploying BIG-IP cloud images in Amazon Web Services (AWS) and Azure cloud services environments. (CVE-2016-2084 - reserved). Note: CVE-2016-2084 impacts only BIG-IP AWS and Azure cloud deployments; it does not impact other cloud environments, BIG-IP hardware, hypervisor-based Virtual Edition (VE), or vCMP (host or guest) deployments.

Conditions: BIG-IP AWS and Azure cloud instances do not properly regenerate certificates and keys when launched in those environments, resulting in multiple instances sharing the same certificates and keys. To exploit this vulnerability, an attacker would first need to obtain a copy of the configuration of the target instance containing encrypted information, and requires an in-depth knowledge of TMOS internals.

Impact: A successful attack could potentially result in disruption of services and/or information leakage from the exploited BIG-IP instance in AWS and Azure cloud environments. There are no known public exploits at this time.

Workaround: See SOL11772107 on SOL11772107: BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084.

Fix: See SOL11772107 on SOL11772107: BIG-IP and BIG-IQ cloud image vulnerability CVE-2016-2084 for detailed information.

ID: 550618

Description: The BIG-IP Virtual Edition may fail to load the default configuration on the Microsoft Azure cloud service

Symptoms: The BIG-IP Virtual Edition (VE) may fail to load the default configuration on the Microsoft Azure cloud service. As a result of this issue, you may encounter one or more of the following symptoms: The BIG-IP VE system fails to load the default configuration and reports an error message similar to the following example: Loading configuration... /defaults/defaults.scf Syntax Error:(/defaults/defaults.scf at line: 97) "description" may not be specified more than once.

Conditions: This issue occurs when all of the following conditions are met: -- The BIG-IP VE system is deployed on the Microsoft Azure cloud service. -- You attempt to reset the BIG-IP VE to the default configuration using the tmsh load sys config default command.

Impact: Cannot reset system configuration defaults.

Workaround: Delete the VE instance in Azure, and then start a new instance. Move the license registration key to the new instance. Important: F5 Support must release the license (called an 'allow move') to enable license provisioning on the new VE instance.

Fix: The BIG-IP Virtual Edition now successfully loads the default configuration on the Microsoft Azure cloud service.

ID: 554609-2

Description: Kernel panics during boot when RAM spans multiple NUMA nodes.

Symptoms: BIG-IP Virtual Edition (VE) crashes in the kernel during early boot.

Conditions: This occurs when the following conditions are met: * VE is running on Hyper-V. * VE RAM is configured in a such a way that it spans multiple NUMA nodes.

Impact: Kernel panic during boot.

Workaround: No workaround.

Fix: The kernel now properly aligns memory on multiple NUMA nodes, so there is no kernel panic during boot.

ID: 557648-2

Description: AWS pool autoscale functionality does not work

Symptoms: Listing Virtual Edition (VE) pool members on an autoscaled pool does not show members being added or removed. Messages similar to the ones below are seen in /var/log/ltm: notice admin: ./aws-autoscale-pool-manager.sh : Starting. notice admin: ./aws-autoscale-pool-manager.sh : Using region us-west-2 notice admin: ./aws-autoscale-pool-manager.sh : Using AutoScaling Url http://autoscaling.us-west-2.amazonaws.com notice logger: ./aws-autoscale-pool-manager.sh : Updating pool : pool1 with instances from Auto Scale Group : err logger: ./aws-autoscale-pool-manager.sh : Failed to describe instance i-5556b78f err logger: ./aws-autoscale-pool-manager.sh : Aborting.

Conditions: 1. Boot up a VE instance on AWS using the BYOL marketplace image version 12.0.0.0.2.606. 2. Create autoscale group on AWS based on load requirements. 3. Configure pool autoscaling on VE (i.e., configure autoscale iApp, iCall, etc.).

Impact: Pool members are no longer automatically added or removed on a VE pool configured to use autoscale.

Workaround: Create the following symlink in /opt/aws/: ln -s ec2-api-tools-1.7.5.1 ec2-api-tools-1.6.13.0

Fix: Include Amazon EC2 web service tools from latest version of the toolset. Included is support for AWS pool autoscale functionality.

ID: 544531

Description: ConfigSync does not work in Virtual Edition configurations provisioned with a single NIC and single IP.

Symptoms: ConfigSync does not work in Virtual Edition (VE) configurations provisioned with a single NIC and single IP.

Conditions: This occurs when using BIG-IP VE v12.0.0 for Microsoft Azure and Amazon AWS when provisioned with a single NIC and a single IP address.

Impact: There is no way to enable ConfigSync and sync up configs among the devices in a Device Group.

Workaround: None.

Fix: You can configure ConfigSync Only (there is no support of network failover, but it should be selected and disabled when creating the Device Group), for BIG-IP VE provisioned with a single NIC and a single IP address using the following steps: Steps to configure ConfigSync in Azure VE provisioned with a single NIC and a single IP address. - Use version 12.0.0 HF1 EHF14 and later images. - Use a static private IP address provided by Azure Virtual Network. - Set db-var 'provision.1nicautoconfig' to be 'disable' before beginning.

* No support of network failover when setting up ConfigSync in Azure.

o A typical setup is as follows: - Configure configsync-ip in each VE/device. - In each VE/device, run the command: tmsh modify cm device <bigipX> configsync-ip <self-ip>. - In the master VE/device, complete the following steps at the tmsh command line: - To add all other VEs/devices to the trust-domain, complete the following steps at the tmsh command line for each VE/device: - Run the command: tmsh modify cm trust-domain Root ca-devices add { <peer-mgmt-ip> } name <bigipX> user <user> password <password>. - To create a new device group for all VEs/devices: - Run the command: tmsh create cm device-group <device-group> devices add { <all-device-names-separated-by-space> } type sync-failover auto-sync enabled network-failover disabled. - To initially sync-up configs among devices in device-group, run the command: tmsh run cm config-sync to-group <device-group>.

--------------------------------------------------------------------------------------
Copyright F5 Networks (2016) - All Rights Reserved