Bug ID 670893: Sensitive monitor parameters recorded in monitor logs

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP LTM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1, 11.5.4 HF2, 11.5.4 HF3, 11.5.4 HF4, 11.5.5, 11.5.6, 11.5.7, 11.5.8, 11.5.9, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4, 12.0.0, 12.0.0 HF1, 12.0.0 HF2, 12.0.0 HF3, 12.0.0 HF4, 12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3, 12.1.3.1, 12.1.3.2, 12.1.3.3, 12.1.3.4, 12.1.3.5, 12.1.3.6, 12.1.3.7, 12.1.4, 12.1.4.1, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Jun 23, 2017
Severity: 2-Critical

Symptoms

When monitor instance logging or monitor debug logging is enabled for certain monitor types, the resulting monitor instance logs may contain sensitive parameters from the monitor configuration, including: - user-account password - radius/diameter secret - snmp community string

Impact

The user-account password, radius/diameter secret, or snmp community string configured in the LTM health monitor may appear in plain text form in the monitor instance logs under /var/log/monitors.

Conditions

This may occur under the following conditions: 1. LTM monitor type is one of the following: ldap mssql mysql nntp oracle postgresql radius radius-accounting smb snmp-dca snmp-dca-base wap On BIG-IP versions prior to v11.6.0, the LTM monitor type is one of the above, or one of the following: ftp imap pop3 smtp 2. Monitor instance logging or monitor debug logging is enabled by one of the following methods: a. Monitor instance logging is enabled by setting the 'logging' element to 'enabled' for an LTM node or pool member using the monitor. b. Monitor debug logging is enabled by setting the 'debug' element to 'yes' for an applicable LTM monitor.

Workaround

1. Do not enable monitor instance logging or monitor debug logging for affected LTM monitor types. 2. If it is necessary to enable monitor instance logging or monitor debug logging for troubleshooting purposes, remove the resulting log files from the BIG-IP system after troubleshooting is completed.

Fix Information

The values of monitor parameters password, secret and community will now be redacted by external monitors when monitor debugging is enabled.

Behavior Change

The values of monitor parameters password, secret and community will now be redacted by external monitors when monitor debugging is enabled. External monitors will no longer log all of the parameters of a monitor when the monitor is run and monitor-instance logging or monitor debug logging is enabled. If parameters information is needed for debugging purposes, this should be handled from knowledge of the monitor configuration.