Bug ID 535717: Password history is not enforced when root, Administrator, or User Manager changes another user's password

Last Modified: Dec 20, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,,,,,,, 13.1.1,,,,,, 13.1.3,,, 14.0.0,,,,,, 14.0.1,, 14.1.0,,,,,,, 14.1.2,,,

Opened: Jul 28, 2015
Severity: 3-Major


When logged in as root, or as a user with Administrator or User Manager role, an attempt to change a user's password will succeed, even if the new password is in password history. (An ordinary user changing their own password will be prevented from making this change.)


Privileged users might circumvent the password history restriction.


password-memory field of auth password-policy set to nonzero value


To mitigate this, you should only permit management access to BIG-IP systems over a secure network, and limit shell access to trusted users.

Fix Information


Behavior Change