CVE-2016-6249 F5 CVE debrief

Who should care

F5 BIG-IP administrators and operators running affected 11.5.0-11.6.1 or 12.0.0 releases, especially teams that allow local shell access, shared admin access, or access to appliance log files.

Technical summary

According to NVD, REST requests that time out during user account authentication can cause sensitive attributes to be logged in plaintext in /var/log/restjavad.0.log. Because the attacker model is local and low-privilege, the issue is an information disclosure problem rather than remote code execution. NVD lists CWE-200 and a CVSS v3.0 vector of AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L.

Defensive priority

Medium. The flaw requires local access, but it can expose credentials or other sensitive authentication data in cleartext on affected appliances.

Recommended defensive actions

• Apply the F5 fixed release or mitigation guidance from vendor advisory K12685114 for the affected BIG-IP versions.
• Restrict access to /var/log/restjavad.0.log and related log locations; review file permissions and any log forwarding or archive paths that may retain copies.
• Search existing logs for exposed passwords or other sensitive attributes, and rotate any credentials that may have been captured.
• Review local account access on affected appliances and treat any credentials found in the log as compromised until verified otherwise.

Evidence notes

The NVD record states that REST requests timing out during user account authentication may log sensitive attributes, including passwords, in plaintext to /var/log/restjavad.0.log, and that local users may obtain sensitive information by reading these files. NVD also lists affected BIG-IP product/version CPEs, including 11.5.0 through 11.6.1 and 12.0.0, plus CWE-200 and the CVSS v3.0 vector AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L. The F5 vendor advisory K12685114 is the supplied mitigation reference.

Official resources