Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.6.2 HF1, 11.4.0, 11.4.1
Fixed In:
11.6.0, 11.5.1 HF5, 11.4.1 HF6, 11.4.0 HF8
Opened: Jul 01, 2014 Severity: 2-Critical Related Article:
K15414
A user with a deleted account cannot log on with their originally defined username and password. A user with a deleted account can authenticate when using the previously cached case variation of their username and password. A user with a password-updated account cannot log on with their defined username and original password. A user with a password-updated account can authenticate using the previously cached case variation of their username and password. When viewing local user database users, a previously deleted user is not listed.
The user may be able to log on using invalid credentials.
This issue occurs when all of the following conditions are met: The BIG-IP APM access policy uses a local user database for authentication. The user of a local user database authenticates using a case variation that does not match the case of their local user database username. The local user database account is deleted or the user's password is updated. When the user of a local user database authenticates to a BIG-IP APM access profile, the system stores the authenticated case-sensitive username and password in cache. The system checks subsequent authentication attempts against the cache for a match before checking the local user database. When you delete or modify an account, the system purges instances of the case-sensitive username from the cache. This behavior creates a scenario in which a user authenticates to an access profile using a case combination that differs from that of the configured username in the local user database. Subsequent modifications to the user's account may not affect cached authentication information.
None
Users deleted from the local user database are now prohibited from logging on using invalid credentials.