K11503 : BIND 9 vulnerability CVE-2009-0265

Security Advisory Description

Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about F5’s security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of F5 security vulnerability response policy.

F5 products and versions that have been evaluated for this Security Advisory

BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature.

Information about this advisory is available at the following locations:

<https://vulners.com/cve/CVE-2009-0265&gt;

F5 Product Development tracked this issue as CR114792 and and it was fixed in BIG-IP 10.0.1 and Enterprise Manager 2.0.0. For information about upgrading, refer to the BIG-IP LTM, ASM, GTM, PSM, Link Controller, WebAccelerator, APM, or WOM release notes.

Additionally, this issue was fixed in BIGIP-10.0.0-5514.0-HF2 which was released for BIG-IP 10.0.0. You may download this hotfix or later versions of the hotfix from the F5 Downloads site.

F5 Product Development is tracking this issue as ID 294064 (formerly CR114792) and CR115215 for WANJet, Enterprise Manager, FirePass and the BIG-IP 9.3, 9.4 and 9.6 software branches.

This is a similar vulnerability to CVE-2008-5077 and CVE-2009-0025. For information about CVE-2008-5077, refer to K9762: OpenSSL vulnerability - CVE-2008-5077. For information about CVE-2009-0025, refer to K9754: BIND 9 vulnerability CVE-2009-0025.

To view a list of the latest available hotfixes, refer to K9502: BIG-IP hotfix matrix.

For information about installing a hotfix, refer to K10025: Managing F5 product hotfixes for BIG-IP 10.x systems.

For information about the F5 hotfix policy, refer to K4918: Overview of F5 critical issue hotfix policy.