Bug ID 571718: LocalDB auth logs new password in debug log on password change

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4

Fixed In:
12.1.0

Opened: Feb 03, 2016
Severity: 3-Major

Symptoms

When the Local user changes the password, the Localdb component logs the new password in the Debug Level. Also, during the parsing of HTTP header, we log the content of the Parameter "_F5_challenge", which contains the Local user password.

Impact

The password is plainly visible in the log file /var/log/apm

Conditions

This occurs when local users are changing their passwords and Access logging is set to debug.

Workaround

None

Fix Information

Passwords are no longer logged. Instead in the log statement , the password will be masked as "******"

Behavior Change