Last Modified: Nov 07, 2022
Affected Product:
See more info
BIG-IP APM
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4
Fixed In:
12.1.0
Opened: Feb 03, 2016
Severity: 3-Major
When the Local user changes the password, the Localdb component logs the new password in the Debug Level. Also, during the parsing of HTTP header, we log the content of the Parameter "_F5_challenge", which contains the Local user password.
The password is plainly visible in the log file /var/log/apm
This occurs when local users are changing their passwords and Access logging is set to debug.
None
Passwords are no longer logged. Instead in the log statement , the password will be masked as "******"
