Bug ID 552342: APMD logging at debug level may log passwords in clear text

Last Modified: Jul 13, 2024

Affected Product(s):
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2

Fixed In:
12.1.0, 12.0.0 HF3

Opened: Oct 13, 2015

Severity: 2-Critical

Symptoms

APMD logging at debug level logs all request headers in clear text. Some request types contain passwords in headers resulting in passwords logged in clear text.

Impact

Some passwords may be logged in clear text.

Conditions

APMD logging at debug level.

Workaround

Do not log at debug level unless absolutely necessary.

Fix Information

Passwords in headers are logged as asterisks as is done for post data.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips