Last Modified: Jul 13, 2024
Affected Product(s):
BIG-IP LTM
Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.1 HF10, 11.5.1 HF11, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.5.10, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 11.6.5, 11.6.5.1, 11.6.5.2, 11.6.5.3, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 12.1.5, 12.1.5.1, 12.1.5.2, 12.1.5.3, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1
Fixed In:
13.1.0
Opened: Jun 23, 2017 Severity: 2-Critical
When monitor instance logging or monitor debug logging is enabled for certain monitor types, the resulting monitor instance logs may contain sensitive parameters from the monitor configuration, including: - user-account password - radius/diameter secret - snmp community string
The user-account password, radius/diameter secret, or snmp community string configured in the LTM health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors.
This may occur under the following conditions: 1. LTM monitor type is one of the following: ldap mssql mysql nntp oracle postgresql radius radius-accounting smb snmp-dca snmp-dca-base wap On BIG-IP versions prior to v11.6.0, the LTM monitor type is one of the above, or one of the following: ftp imap pop3 smtp 2. Monitor instance logging or monitor debug logging is enabled by one of the following methods: a. Monitor instance logging is enabled by setting the 'logging' element to 'enabled' for an LTM node or pool member using the monitor. b. Monitor debug logging is enabled by setting the 'debug' element to 'yes' for an applicable LTM monitor.
1. Do not enable monitor instance logging or monitor debug logging for affected LTM monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes, remove the resulting log files from the BIG-IP system after troubleshooting is completed.
The values of monitor parameters password, secret and community will now be redacted by external monitors when monitor debugging is enabled.
The values of monitor parameters password, secret and community will now be redacted by external monitors when monitor debugging is enabled. External monitors will no longer log all of the parameters of a monitor when the monitor is run and monitor-instance logging or monitor debug logging is enabled. If parameters information is needed for debugging purposes, this should be handled from knowledge of the monitor configuration.