K11533 : OpenSSL vulnerability CVE-2010-0740

2013-07-0300:00:00

my.f5.com

6.1 Medium

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:N/I:N/A:P

0.96 High

EPSS

Percentile

99.4%

JSON

Security Advisory Description

Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5 security vulnerability response policy.F5 products and versions that have been evaluated for_ _this Security Advisory

Product	Affected	Not Affected
BIG-IP LTM	10.1.0	9.x
10.0.0 - 10.0.1
10.1.0 HF1
10.2.x
11.x
BIG-IP GTM	10.1.0	9.x
10.0.0 - 10.0.1
10.1.0 HF1
10.2.x
11.x
BIG-IP ASM	10.1.0	9.x
10.0.0 - 10.0.1
10.1.0 HF1
10.2.x
11.x
BIG-IP Link Controller	10.1.0	9.x
10.0.0 - 10.0.1
10.1.0 HF1
10.2.x
11.x
BIG-IP WebAccelerator	10.1.0	9.x
10.0.0 - 10.0.1
10.1.0 HF1
10.2.x
11.x
BIG-IP PSM	10.1.0	9.x
10.0.0 - 10.0.1
10.1.0 HF1
10.2.x
11.x
BIG-IP WAN Optimization	10.1.0	10.0.0 - 10.0.1
10.1.0 HF1
10.2.x
11.x
BIG-IP APM	10.1.0	10.1.0 HF1
10.2.x
11.x
BIG-IP Edge	10.1.0	10.1.0 HF1
10.2.x
11.x
BIG-IP Analytics	None	11.x
BIG-IP AFM	None	11.x
BIG-IP PEM	None	11.x
BIG-IP AAM	None	11.x
FirePass	None	5.x
6.x
7.x
Enterprise Manager	2.0.0	1.x
2.1.x
2.2.x
2.3.x
3.x
ARX	5.1.0 - 5.1.9	2.x
3.x
4.x
5.0.1 - 5.0.7
5.2.0 - 5.3.1
6.x
Vulnerability description and product informationThessl3_get_recordfunction inssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer de-reference, related to the minor version number.
Information about this advisory is available at the following location:
<https://vulners.com/cve/CVE-2010-0740>
F5 Product Development tracked this issue as CR139154 and it was fixed in Enterprise Manager 2.1.0. For information about upgrading, refer to the Enterprise Manager release notes.
F5 Product Development tracked this issue as ID 38353 and it was fixed in ARX 5.2.0. For information about upgrading, refer to the ARX release notes.
F5 Product Development tracked this issue as CR139154, and it was fixed in BIG-IP 10.2.0. For information about upgrading, refer to the BIG-IP LTM, ASM, GTM, PSM, Link Controller, WebAccelerator, APM, WAN Optimization, or Edge Gateway release notes.
Additionally, this issue was fixed in BIGIP-10.1.0 HF1 issued for BIG-IP 10.1.0. You may download this hotfix or later versions of the hotfix from the F5 Downloads site.
To view a list of the latest available hotfixes, refer to K9502: BIG-IP hotfix matrix.
For information about the F5 hotfix policy, refer to K4918: Overview of F5 critical issue hotfix policy.
For information about managing F5 product hotfixes, refer to K10025: Managing F5 product hotfixes for BIG-IP 10.x systems.
For information about installing 10.x hotfixes on a partitioned system, refer to K9819: Installing a BIG-IP version 10.x hotfix on a partitioned system.

CPENameOperatorVersion
big-ip afmeq11.3.0
big-ip afmeq11.4.0
big-ip analyticseq11.0.0
big-ip analyticseq11.1.0
big-ip analyticseq11.2.0
big-ip analyticseq11.2.1
big-ip analyticseq11.3.0
big-ip analyticseq11.4.0
big-ip aameq11.4.0
big-ip apmeq10.1.0

Name	Operator	Version
big-ip afm	eq	11.3.0
big-ip afm	eq	11.4.0
big-ip analytics	eq	11.0.0
big-ip analytics	eq	11.1.0
big-ip analytics	eq	11.2.0
big-ip analytics	eq	11.2.1
big-ip analytics	eq	11.3.0
big-ip analytics	eq	11.4.0
big-ip aam	eq	11.4.0
big-ip apm	eq	10.1.0