SSL 3.0/TLS 1.0 vulnerability CVE-2011-3389 and TLS protocol vulnerability CVE-2012-1870


* [CVE-2011-3389](<https://vulners.com/cve/CVE-2011-3389>) The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by way of a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, also known as a BEAST attack. * [CVE-2012-1870](<https://vulners.com/cve/CVE-2012-1870>) The CBC mode in the TLS protocol, as used in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, and other products, allows remote web servers to obtain plaintext data by triggering multiple requests to a third-party HTTPS server and sniffing the network during the resulting HTTPS session, aka "TLS Protocol Vulnerability." Impact This vulnerability discloses data over the SSL session to an attacker.

Affected Software

CPE Name Name Version
big-ip ltm 9.0.0
big-ip gtm 9.2.2
big-ip dns 16.1.2
big-ip asm 9.2.0
big-ip link controller 9.2.2
big-ip webaccelerator 9.4.0
big-ip psm 9.4.0
big-ip wom 11.3.0
big-ip apm 16.1.2
big-ip edge gateway 11.3.0
big-ip analytics 16.1.2
big-ip afm 16.1.2
big-ip pem 16.1.2
big-ip aam 15.1.5
firepass 7.0.0
enterprise manager 3.1.1
arx 6.4.0
big-iq cloud 4.5.0
big-iq device 4.5.0
big-iq security 4.5.0
big-iq adc 4.5.0
big-iq centralized management 8.1.0
big-iq cloud and orchestration 1.0.0
f5 iworkflow 2.3.0