CVE-2022-27636 - Insertion of Sensitive Information into Log File

Severity

55%

Complexity

18%

Confidentiality

60%

On F5 BIG-IP APM 16.1.x versions prior to 16.1.2.2, 15.1.x versions prior to 15.1.5.1, 14.1.x versions prior to 14.1.4.6, 13.1.x versions prior to 13.1.5, and all versions of 12.1.x and 11.6.x, as well as F5 BIG-IP APM Clients 7.x versions prior to 7.2.1.5, BIG-IP Edge Client may log sensitive APM session-related information when VPN is launched on a Windows system. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated

CVSS 3.1 Base Score 5.5. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

CVSS 2.0 Base Score 2.1. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N).

Demo Examples

Insertion of Sensitive Information into Log File

CWE-532

In the following code snippet, a user's full name and credit card number are written to a log file.


               
logger.info("Username: " + usernme + ", CCN: " + ccn);

Insertion of Sensitive Information into Log File

CWE-532

This code stores location information about the current user:


               
}...
Log.e("ExampleActivity", "Caught exception: " + e + " While on User:" + User.toString());

When the application encounters an exception it will write the user object to the log. Because the user object contains location information, the user's location is also written to the log.

Insertion of Sensitive Information into Log File

CWE-532

In the example below, the method getUserBankAccount retrieves a bank account object from a database using the supplied username and account number to query the database. If an SQLException is raised when querying the database, an error message is created and output to a log file.


               
}

                     
return userAccount;
}
userAccount = (BankAccount)queryResult.getObject(accountNumber);
Logger.getLogger(BankManager.class.getName()).log(Level.SEVERE, logMessage, ex);

The error message that is created includes information about the database query that may contain sensitive information about the database or query logic. In this case, the error message will expose the table name and column names used in the database. This data could be used to simplify other attacks, such as SQL injection (CWE-89) to directly access the database.

Overview

Type

F5

First reported 2 years ago

2022-05-05 17:15:00

Last updated 2 years ago

2022-10-06 02:42:00

Affected Software

F5 Big-IP Access Policy Manager (APM) 12.1.2

12.1.2

F5 BIG-IP Access Policy Manager (APM) 12.1.1

12.1.1

F5 BIG-IP Access Policy Manager (APM) 12.1.0

12.1.0

F5 Networks BIG-IP Access Policy Manager 11.6.1

11.6.1

F5 Big-IP Access Policy Manager (APM) 13.1.0

13.1.0

F5 BIG-IP Access Policy Manager (APM) 14.1.0

14.1.0

F5 BIG-IP Access Policy Manager (APM) 15.1.0

15.1.0

F5 Big-IP Access Policy Manager (APM) 11.6.2

11.6.2

F5 Big-IP Access Policy Manager (APM) 11.6.3

11.6.3

F5 BIG-IP Access Policy Manager (APM) 11.6.4

11.6.4

F5 Big-IP Access Policy Manager (APM) 11.6.5

11.6.5

F5 Big-IP Access Policy Manager (APM) 12.1.3

12.1.3

F5 BIG-IP Access Policy Manager (APM) 12.1.4

12.1.4

F5 Big-IP Access Policy Manager (APM) 12.1.5

12.1.5

F5 Big-IP Access Policy Manager (APM) 13.1.1

13.1.1

F5 BIG-IP Access Policy Manager (APM) 13.1.3

13.1.3

F5 Big-IP Access Policy Manager (APM) 14.1.2

14.1.2

References

https://support.f5.com/csp/article/K57110035

https://support.f5.com/csp/article/K57110035

Vendor Advisory

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.