OpenSSL vulnerability CVE-2015-0286

2015-10-06T01:10:00
ID F5:K16317
Type f5
Reporter f5
Modified 2019-05-17T20:43:00

Description

F5 Product Development has assigned ID 513382 (BIG-IP), ID 516875 (BIG-IQ), ID 516876 (Enterprise Manager), and ID 410742 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. In addition, BIG-IP iHealth lists Heuristic H513523 on the Diagnostics > Identified > Medium screen.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature
---|---|---|---|---
BIG-IP LTM| 11.6.0
11.5.0 - 11.5.3| 12.1.0
12.0.0

11.6.1
11.6.0 HF6
11.5.3 HF2
11.0.0 - 11.4.1
10.1.0 - 10.2.4| Medium| HTTPS health monitor
big3d
Configuration utility
Client SSL profile
Server SSL profile
BIG-IP AAM| 11.6.0
11.5.0 - 11.5.3| 12.1.0

12.0.0
11.6.1

11.6.0 HF6
11.5.3 HF2
11.4.0 - 11.4.1| Medium| HTTPS health monitor
big3d
Configuration utility
Client SSL profile
Server SSL profile
BIG-IP AFM| 11.6.0
11.5.0 - 11.5.3| 12.1.0
12.0.0

11.6.1
11.6.0 HF6
11.5.3 HF2
11.3.0 - 11.4.1| Medium| HTTPS health monitor
big3d
Configuration utility
Client SSL profile
Server SSL profile
BIG-IP Analytics| 11.6.0
11.5.0 - 11.5.3| 12.1.0

12.0.0
11.6.1

11.6.0 HF6
11.5.3 HF2
11.0.0 - 11.4.1| Medium| HTTPS health monitor
big3d
Configuration utility
Client SSL profile
Server SSL profile
BIG-IP APM| 11.6.0
11.5.0 - 11.5.3| 12.1.0
12.0.0

11.6.1
11.6.0 HF6
11.5.3 HF2
11.0.0 - 11.4.1
10.1.0 - 10.2.4| Medium| HTTPS health monitor
big3d
Configuration utility
Client SSL profile
Server SSL profile
machine cert auth agent
on-demand cert auth agent
BIG-IP ASM| 11.6.0
11.5.0 - 11.5.3| 12.1.0

12.0.0
11.6.1

11.6.0 HF6
11.5.3 HF2
11.0.0 - 11.4.1
10.1.0 - 10.2.4| Medium| HTTPS health monitor
big3d
Configuration utility
Client SSL profile
Server SSL profile
BIG-IP DNS| None| 12.1.0
12.0.0
| Not vulnerable| None
BIG-IP Edge Gateway| None| 11.0.0 - 11.3.0| Not vulnerable| None
BIG-IP GTM| 11.6.0
11.5.0 - 11.5.3| 11.6.1
11.6.0 HF6
11.5.3 HF2
11.0.0 - 11.4.1
10.1.0 - 10.2.4| Medium| HTTPS health monitor
big3d
gtmd
Configuration utility
Client SSL profile
Server SSL profile
BIG-IP Link Controller| 11.6.0
11.5.0 - 11.5.3| 12.1.0

12.0.0
11.6.1

11.6.0 HF6
11.5.3 HF2
11.0.0 - 11.4.1
10.1.0 - 10.2.4| Medium| HTTPS health monitor
big3d
gtmd
Configuration utility
Client SSL profile
Server SSL profile
BIG-IP PEM| 11.6.0
11.5.0 - 11.5.3| 12.1.0
12.0.0

11.6.1
11.6.0 HF6
11.5.3 HF2
11.3.0 - 11.4.1| Medium| HTTPS health monitor
big3d
Configuration utility
Client SSL profile
Server SSL profile
BIG-IP PSM| None| 11.0.0 - 11.4.1
10.1.0 - 10.2.4| Not vulnerable| None
BIG-IP WebAccelerator| None| 11.0.0 - 11.3.0
10.1.0 - 10.2.4| Not vulnerable| None
BIG-IP WOM| None| 11.0.0 - 11.3.0
10.1.0 - 10.2.4| Not vulnerable| None
ARX| 6.0.0 - 6.4.0| None| Medium| ARX GUI
Enterprise Manager| 3.1.1 HF1 - HF4| 3.0.0 - 3.1.1 (base version)
2.1.0 - 2.3.0| Medium| big3d
FirePass| None| 7.0.0
6.0.0 - 6.1.0| Not vulnerable| None
BIG-IQ Cloud| 4.0.0 - 4.5.0| 4.5.0 HF3
| Medium| big3d
Server SSL profile
BIG-IQ Device| 4.2.0 - 4.5.0| 4.5.0 HF3| Medium| big3d
Server SSL profile
BIG-IQ Security| 4.0.0 - 4.5.0| 4.5.0 HF3
| Medium| big3d
Server SSL profile
BIG-IQ ADC| 4.5.0| 4.5.0 HF3| Medium| big3d
Server SSL profile
BIG-IQ Centralized Management| None| 4.6.0
| Not vulnerable| None
BIG-IQ Cloud and Orchestration| None| 1.0.0*| Not vulnerable| None
LineRate| 2.5.0
2.4.0 - 2.4.2| None| Severe| OpenSSL
F5 WebSafe| None| 1.0.0| Not vulnerable| None
Traffix SDC| None| 4.0.0 - 4.1.0
3.3.2 - 3.5.1| Not vulnerable| None
BIG-IP Edge Clients for Android| None| 2.0.0 - 2.0.6| Not vulnerable| None
BIG-IP Edge Clients for Apple iOS| None| 2.0.0 - 2.0.4
1.0.5 - 1.0.6| Not vulnerable| None
BIG-IP Edge Clients for Linux| None| 6035.x - 7110.x| Not vulnerable| None
BIG-IP Edge Clients for MAC OS X| None| 6035.x - 7110.x| Not vulnerable| None
BIG-IP Edge Clients for Windows| None| 6035.x - 7110.x| Not vulnerable| None
BIG-IP Edge Clients Windows Phone 8.1| None| 1.0.0.x| Not vulnerable| None
BIG-IP Edge Portal for Android| None| 1.0.0 - 1.0.2| Not vulnerable| None
BIG-IP Edge Portal for Apple iOS| None| 1.0.0 - 1.0.3| Not vulnerable| None

  • While BIG-IP 12.1.0, 12.0.0, and 11.6.1, BIG-IQ Centralized Management 4.6.0, BIG-IQ Cloud and Orchestration 1.0.0, and BIG-IQ 4.5.0 HF3 ship with an OpenSSL version prior to 1.0.1m, the libraries necessary to fix the issue were merged with the BIG-IP system's OpenSSL implementation.

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

BIG-IP

Configuration utility

The Configuration utility is not vulnerable by default. To be vulnerable, the system administrator has to modify the configuration to perform client-side certification authentication, such as, when you perform the procedures in either of the following articles:

To mitigate this Configuration utility vulnerability, do not modify the configuration to perform client side certification authentication. If that is not possible, F5 recommends that you permit access to the Configuration utility only over a secure network and limit login access to trusted users.

Client SSL profiles

Client SSL profiles are not vulnerable in a default configuration. The Client SSL profile is vulnerable if it has been modified to enable the Client Authentication option and is associated with a virtual server. To mitigate the vulnerability, do not enable the Client Authentication option on the Client SSL profile.

Server SSL profiles

Server SSL profiles are vulnerable in a default configuration, however, this vulnerability would require a backend server (pool member) to perform malicious actions as the BIG-IP system is acting as a client in this instance.

HTTPS Health monitor

The HTTPS health monitor is vulnerable by default. This vulnerability would require the BIG-IP system to monitor the health of a malicious server. To mitigate this vulnerability, limit traffic between the BIG-IP system and pool members to trusted traffic.

BIG-IP GTM

Both the gtmd and big3d processes are vulnerable in a default configuration. In addition, monitored BIG-IP systems whose big3d process was updated by an affected BIG-IP GTM system are also vulnerable. To mitigate this vulnerability, limit traffic between BIG-IP systems to trusted traffic.

Enterprise Manager

The big3d processes is vulnerable in a default configuration. In addition, monitored systems whose big3d process was updated by an affected BIG-IP GTM system are also vulnerable. To mitigate this vulnerability, limit traffic between BIG-IQ systems to trusted traffic.

BIG-IQ

The BIG-IQ configuration utility is not vulnerable by default. To be vulnerable, the system administrator has to modify the configuration to perform client-side certification authentication. To mitigate this Configuration utility vulnerability, do not modify the configuration to perform client side certification authentication.

Server SSL profiles are vulnerable in a default configuration; however, this vulnerability would require a backend server (pool member) to perform malicious actions, as the BIG-IP system is acting as a client in this instance.