Lucene search

K
f5F5F5:K12998
HistoryJul 25, 2014 - 12:00 a.m.

K12998 : OpenSSL vulnerability CVE-2011-1945

2014-07-2500:00:00
my.f5.com
18

5.6 Medium

AI Score

Confidence

Low

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

0.006 Low

EPSS

Percentile

76.4%

Security Advisory Description

Note: For information about signing up to receive security notice updates from F5, refer to K9970: Subscribing to email notifications regarding F5 products.

Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5 security vulnerability response policy.

F5 products and versions that have been evaluated for this Security Advisory

Product Affected Not Affected
BIG-IP LTM None 9.x
10.x
11.x
BIG-IP GTM None 9.x
10.x
11.x
BIG-IP ASM None 9.x
10.x
11.x
BIG-IP Link Controller None 9.x
10.x
11.x

BIG-IP WebAccelerator| None| 9.x
10.x
11.x
BIG-IP PSM| None| 9.x
10.x
11.x
BIG-IP WOM| None| 10.x
11.x
BIG-IP APM| None| 10.x
11.x
BIG-IP Edge Gateway| None| 10.x
11.x
BIG-IP Analytics| None| 11.x
BIG-IP PEM
| None
| 11.x

BIG-IP AFM
| None
| 11.x

BIG-IP AAM| None | 11.x
FirePass| None| 5.x
6.x
7.x
Enterprise Manager| None| 1.x
2.x
3.x
ARX| None| 5.x
6.x

BIG-IP products are not affected because ECDSA and other elliptic curve algorithms are not enabled in the BIG-IP OpenSSL implementation. For information about elliptic curve cryptography support, refer to K12982: BIG-IP support for elliptic curve cryptography.

Vulnerability description and product information

The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys using a timing attack and a lattice calculation.

Information about this advisory is available at the following location. The following link will take you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge:

<https://vulners.com/cve/CVE-2011-1945&gt;

5.6 Medium

AI Score

Confidence

Low

2.6 Low

CVSS2

Access Vector

NETWORK

Access Complexity

HIGH

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:H/Au:N/C:P/I:N/A:N

0.006 Low

EPSS

Percentile

76.4%