Bug ID 469754: User name case sensitivity issue

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4

Fixed In:
11.6.0, 11.5.1 HF5, 11.4.1 HF6, 11.4.0 HF8

Opened: Jul 01, 2014
Severity: 2-Critical
Related AskF5 Article:
K15414

Symptoms

A user with a deleted account cannot log on with their originally defined username and password. A user with a deleted account can authenticate when using the previously cached case variation of their username and password. A user with a password-updated account cannot log on with their defined username and original password. A user with a password-updated account can authenticate using the previously cached case variation of their username and password. When viewing local user database users, a previously deleted user is not listed.

Impact

The user may be able to log on using invalid credentials.

Conditions

This issue occurs when all of the following conditions are met: The BIG-IP APM access policy uses a local user database for authentication. The user of a local user database authenticates using a case variation that does not match the case of their local user database username. The local user database account is deleted or the user's password is updated. When the user of a local user database authenticates to a BIG-IP APM access profile, the system stores the authenticated case-sensitive username and password in cache. The system checks subsequent authentication attempts against the cache for a match before checking the local user database. When you delete or modify an account, the system purges instances of the case-sensitive username from the cache. This behavior creates a scenario in which a user authenticates to an access profile using a case combination that differs from that of the configured username in the local user database. Subsequent modifications to the user's account may not affect cached authentication information.

Workaround

None

Fix Information

Users deleted from the local user database are now prohibited from logging on using invalid credentials.

Behavior Change