Bug ID 775797: Previously deleted user account might get authenticated

Last Modified: May 14, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP TMOS(all modules)

Known Affected Versions:
13.1.0, 13.1.0.1, 13.1.0.2, 13.1.0.3, 13.1.0.4, 13.1.0.5, 13.1.0.6, 13.1.0.7, 13.1.0.8, 13.1.1, 13.1.1.1, 13.1.1.2, 13.1.1.3, 13.1.1.4, 13.1.1.5

Opened: Apr 23, 2019
Severity: 3-Major

Symptoms

A user account which may have originally been manually configured as a local user (auth user) but may have since been removed, might still get authenticated and be able to modify the BIG-IP configuration.

Impact

The deleted user that no longer exists in the local user list and which is also not explicitly authorized by remote role groups, can get authenticated. The deleted user is also able to modify the BIG-IP configuration via iControl.

Conditions

-- User account configured as local user. -- The user account is deleted later. (Note: The exact steps to produce this issue are not yet known).

Workaround

None.

Fix Information

None

Behavior Change