3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.7 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.975 High
EPSS
Percentile
100.0%
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the “Logjam” issue. (CVE-2015-4000)
Impact
BIG-IP configurations that enable EXPORT suites in Client SSL profiles may be vulnerable to the LogJam attack, in which an active man-in-the-middle attack downgrades a connection between a TLS client and a TLS server that supports EXPORT ciphersuites, but would not negotiate them due to server-side ordering of cipher suites. The best workaround is to disable EXPORT suites in the Client SSL profile. If this is not possible and the Client SSL profile must have EXPORT and strong cipher suites enabled, F5 recommends that you leave the default setting of “10” for theHandshake Timeout setting in the Client SSL profile.
If the configuration is such that a client and a server would negotiate an EXPORT cipher suite on their own, a passive attacker can record the traffic and can decrypt it later. This is an offline attack on a limited number of connections for which there is no workaround other than disabling EXPORT cipher suites.
The BIG-IP system uses 1024-bit DHE for non-export cipher suites. A 1024-bit DHE is likely to be negotiated between a client and a server without interference by an attacker. The BIG-IP system does not use fixed DHE 1024 groups, and the management of DHE 1024 group performed by the BIG-IP system provides a reasonable protection against currently known attacks on DHE 1024. For increased security, F5 recommends that you change the order of DHE cipher suites in Client SSL profiles to prefer ECDHE.
There are specific features on the BIG-IP system that mitigate the impact of LogJam on BIG-IP Client SSL profiles.
CPE | Name | Operator | Version |
---|---|---|---|
big-ip afm | eq | 11.3.0 | |
big-ip afm | eq | 11.4.0 | |
big-ip afm | eq | 11.4.1 | |
big-ip afm | eq | 11.5.0 | |
big-ip afm | eq | 11.5.1 | |
big-ip afm | eq | 11.5.2 | |
big-ip afm | eq | 11.5.3 | |
big-ip afm | eq | 11.5.4 | |
big-ip afm | eq | 11.6.0 | |
big-ip afm | eq | 11.6.1 |
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.7 Medium
AI Score
Confidence
High
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.975 High
EPSS
Percentile
100.0%