Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2, 12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5
Fixed In:
13.0.0, 12.1.5.1
Opened: Nov 10, 2015 Severity: 3-Major
When bigd debug logging is enabled, the resulting bigd debug log may contain sensitive parameters from the monitor configuration. When monitor instance logging or monitor debug logging is enabled for certain monitor types, the resulting monitor instance logs may contain sensitive parameters from the monitor configuration. In each case, the monitor parameters logged may include: - user-account password - radius/diameter secret - snmp community string
The user-account password, radius/diameter secret, or snmp community string configured in the LTM health monitor may appear in plain text form in the bigd debug log (/var/log/bigdlog) or in the monitor instance logs under /var/log/monitors.
This may occur under either of the following conditions: 1. bigd debug logging is enabled: tmsh modify sys db bigd.debug value enabled 2. Monitor instance logging is enabled for one of the following LTM monitor types: ftp imap pop3 smtp
1. Do not enable bigd debug logging. 2. Do not enable monitor instance logging or monitor debug logging for affected LTM monitor types. 3. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes, remove the resulting log files from the BIG-IP system after troubleshooting is completed.
The password, community and secret parameters will now be redacted by bigd and Tcl monitors when debugging is enabled.
The password, community and secret parameters will now be redacted by bigd and Tcl monitors when debugging is enabled. bigd will no longer log all of the monitor parameters every time that a Tcl monitor is scheduled and bigd debugging is enabled unless logging is specifically enabled for the monitor instance (e.g. a pool member has "logging enabled"). The Tcl worker process will no longer log all of the parameters of a monitor when the monitor is run and bigd debugging is enabled. If parameters information is needed for debugging purposes, this should be handled specifically in the Tcl monitor script.