Bug ID 571718: LocalDB auth logs new password in debug log on password change

Last Modified: Nov 07, 2022

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3,,,,, 11.6.4, 11.6.5,,,, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:

Opened: Feb 03, 2016
Severity: 3-Major


When the Local user changes the password, the Localdb component logs the new password in the Debug Level. Also, during the parsing of HTTP header, we log the content of the Parameter "_F5_challenge", which contains the Local user password.


The password is plainly visible in the log file /var/log/apm


This occurs when local users are changing their passwords and Access logging is set to debug.



Fix Information

Passwords are no longer logged. Instead in the log statement , the password will be masked as "******"

Behavior Change