Last Modified: Sep 13, 2023
Affected Product(s):
BIG-IP TMOS
Known Affected Versions:
12.1.0, 12.1.1, 12.1.2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
13.1.0, 12.1.3.6
Opened: May 22, 2017 Severity: 3-Major
Some config files collected by qkview may have clear text secrets.
Plaintext secrets are uploaded to iHealth.
Run qkview and extract to see files with cleartext secrets
To workaround this issue, follow this procedure: 1. Untar qkview file. 2. Obfuscate secrets from the affected file. 3. Recreate qkview file to upload. For more information, see K55559493: Obfuscating sensitive data in a QKView file :: https://support.f5.com/csp/article/K55559493. Qkview obfuscation ================== -- Specific information from text files collected by qkview can be replaced/obscured. -- Configuration file is in JSON format and it requires regex search pattern and replacement text for given files. Config file =========== /etc/qkview_obfuscate.conf Config Template =============== { "filename_regex1": { "search_regex11": "replace_text11", "search_regex12": "replace_text12", "search_regex13": "replace_text13" <= No comma after the last element. }, "filename_regex2": { "search_regex21": "replace_text21", "search_regex22": "replace_text22", "search_regex23": "replace_text23" } <= No comma after the last node. } Notes ===== -- Search-and-replace rules are applied to the files that match the filename regex. -- Filename and search_pattern are the regex. JSON special characters need to be escaped in the regex. (JSON special chars list :: http://json.org/.) Example: search_pattern "bindpw\s+(\S+)" should be "bindpw\\s+(\\S+)". ('\' is escaped by '\\'.) -- If a filename matches multiple filename regexes, all rules of those files' regexes are applied to that file. Example: { "abc123\\.conf": { "password\\s+(\\S+)": "password ####", "passphrase\\s+(\\S+)": "passphrase ####" }, "abc\\w+\\.conf": { "bindpw\\s+(\\S+)": "bindpw dummypasswd" } } Because abc123.conf matches both filename regexes, all three rules are applied to abc123.conf. -- Obfuscation works only on text files. Compressed files are ignored. -- The qkview command fails if the config file is syntactically incorrect. Sample config ============= { "abc123\\.conf": { "password\\s+(\\S+)": "password ####", "passphrase\\s+(\\S+)": "passphrase ####" }, "myapp?\\w+\\.conf": { "bindpw\\s+(\\S+)": "bindpw dummypasswd" } } "abc123\\.conf" - matches abc123.conf "myapp?\\w+\\.conf - matches myapp*.conf
None