K12543 : OpenSSL vulnerability CVE-2010-4180

Security Advisory Description

Note: For information about signing up to receive security notice updates from F5, refer to K9970: Subscribing to email notifications regarding F5 products.Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5 security vulnerability response policy.F5 products and versions that have been evaluated for this Security Advisory

• F5 Product Development has determined that these product versions are not vulnerable to the OpenSSL session cache issue indicated by CVE-2010-4180. While these products may allow a client to change the ciphersuite on a subsequent connection, the client is still only allowed to change to a cipher that has been enabled by the server. F5 Product Development has indicated this is intended behavior and does not introduce a security implication.
  However, these product versions use a version of OpenSSL that is affected by this vulnerability when compiled and configured differently. As a result, Nessus or other vulnerability scanners may incorrectly report these product versions as vulnerable to CVE-2010-4180. Nessus plugin 51892 will look beyond the banner string and actually verify the behavior. While it will show that the cipher can be changed, it will not be able to change to a disallowed cipher.
  Vulnerability description
  OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.
  Information about this advisory is available at the following location:
  <https://vulners.com/cve/CVE-2010-4180&gt;