Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP APM
Known Affected Versions:
11.6.0, 11.6.1, 11.6.2, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.1.0 HF1, 12.0.0 HF2, 12.1.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.1 HF1, 12.1.1 HF2, 12.1.2 HF1, 12.1.2 HF2
Fixed In:
12.1.0
Opened: Feb 03, 2016 Severity: 3-Major
When the Local user changes the password, the Localdb component logs the new password in the Debug Level. Also, during the parsing of HTTP header, we log the content of the Parameter "_F5_challenge", which contains the Local user password.
The password is plainly visible in the log file /var/log/apm
This occurs when local users are changing their passwords and Access logging is set to debug.
None
Passwords are no longer logged. Instead in the log statement , the password will be masked as "******"