CVE-2019-19150

Name of the Vulnerable Software and Affected Versions F5 BIG-IP APM versions 11.5.2 through 11.6.5.1 F5 BIG-IP APM versions 12.1.0 through 12.1.5 F5 BIG-IP APM versions 13.1.0 through 13.1.3.1 F5 BIG-IP APM versions 14.0.0 through 14.0.1 F5 BIG-IP APM versions 14.1.0 through 14.1.2 F5 BIG-IP APM versions 15.0.0 through 15.0.1.1

Description The issue concerns the logging of the client-session-id in the BIG-IP APM system when a per-session policy is attached to the virtual server and debug logging is enabled.

Recommendations For versions 11.5.2 through 11.6.5.1, disable debug logging when a per-session policy is attached to the virtual server. For versions 12.1.0 through 12.1.5, disable debug logging when a per-session policy is attached to the virtual server. For versions 13.1.0 through 13.1.3.1, disable debug logging when a per-session policy is attached to the virtual server. For versions 14.0.0 through 14.0.1, disable debug logging when a per-session policy is attached to the virtual server. For versions 14.1.0 through 14.1.2, disable debug logging when a per-session policy is attached to the virtual server. For versions 15.0.0 through 15.0.1.1, disable debug logging when a per-session policy is attached to the virtual server.