Bug ID 552342: APMD logging at debug level may log passwords in clear text

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2

Fixed In:
12.1.0, 12.0.0 HF3

Opened: Oct 13, 2015
Severity: 2-Critical

Symptoms

APMD logging at debug level logs all request headers in clear text. Some request types contain passwords in headers resulting in passwords logged in clear text.

Impact

Some passwords may be logged in clear text.

Conditions

APMD logging at debug level.

Workaround

Do not log at debug level unless absolutely necessary.

Fix Information

Passwords in headers are logged as asterisks as is done for post data.

Behavior Change