Bug ID 557322: Sensitive monitor parameters recorded in bigd and monitor logs

Last Modified: Sep 13, 2023

Affected Product(s):
BIG-IP LTM(all modules)

Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5

Fixed In:
13.0.0, 12.1.5.1

Opened: Nov 10, 2015

Severity: 3-Major

Symptoms

When bigd debug logging is enabled, the resulting bigd debug log may contain sensitive parameters from the monitor configuration. When monitor instance logging or monitor debug logging is enabled for certain monitor types, the resulting monitor instance logs may contain sensitive parameters from the monitor configuration. In each case, the monitor parameters logged may include: - user-account password - radius/diameter secret - snmp community string

Impact

The user-account password, radius/diameter secret, or snmp community string configured in the LTM health monitor may appear in plain text form in the bigd debug log (/var/log/bigdlog) or in the monitor instance logs under /var/log/monitors.

Conditions

This may occur under either of the following conditions: 1. bigd debug logging is enabled: tmsh modify sys db bigd.debug value enabled 2. Monitor instance logging is enabled for one of the following LTM monitor types: ftp imap pop3 smtp

Workaround

1. Do not enable bigd debug logging. 2. Do not enable monitor instance logging or monitor debug logging for affected LTM monitor types. 3. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes, remove the resulting log files from the BIG-IP system after troubleshooting is completed.

Fix Information

The password, community and secret parameters will now be redacted by bigd and Tcl monitors when debugging is enabled.

Behavior Change

The password, community and secret parameters will now be redacted by bigd and Tcl monitors when debugging is enabled. bigd will no longer log all of the monitor parameters every time that a Tcl monitor is scheduled and bigd debugging is enabled unless logging is specifically enabled for the monitor instance (e.g. a pool member has "logging enabled"). The Tcl worker process will no longer log all of the parameters of a monitor when the monitor is run and bigd debugging is enabled. If parameters information is needed for debugging purposes, this should be handled specifically in the Tcl monitor script.

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips