OpenSSL vulnerability CVE-2015-1788

2015-07-09T03:51:00
ID F5:K16938
Type f5
Reporter f5
Modified 2017-03-14T22:06:00

Description

F5 Product Development has assigned ID 527630 (BIG-IP and BIG-IQ), ID 531974 (Enterprise Manager), and ID 410742 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature
---|---|---|---|---
BIG-IP LTM| 11.0.0 - 11.6.0
10.1.0 - 10.2.4| 12.0.0
11.5.4
11.6.0 HF6
11.5.3 HF2
11.4.1 HF10
11.2.1 HF15| Severe| Data plane:
Client SSL profile: Client Authentication set to 'Require' or 'Request'
Server SSL profile: Default configuration and SSL Forward Proxy configuration
Control plane:
Apache: Only when configured for client authentication
BIG-IP AAM| 11.4.0 - 11.6.0| 12.0.0
11.5.4
11.6.0 HF6
11.5.3 HF2
11.4.1 HF10| Severe| Data plane:
Client SSL profile: Client Authentication set to 'Require' or 'Request'
Server SSL profile: Default configuration and SSL Forward Proxy configuration
Control plane:
Apache: Only when configured for client authentication*
BIG-IP AFM| 11.3.0 - 11.6.0| 12.0.0
11.5.4
11.6.0 HF6
11.5.3 HF2
11.4.1 HF10| Severe| Data plane:
Client SSL profile: Client Authentication set to 'Require' or 'Request'

Server SSL profile: Default configuration and SSL Forward Proxy configuration
Control plane:
Apache: Only when configured for client authentication
BIG-IP Analytics| 11.0.0 - 11.6.0| 12.0.0
11.5.4
11.6.0 HF6
11.5.3 HF2
11.4.1 HF10
11.2.1 HF15| Severe| Control plane:
Apache: Only when configured for client authentication

BIG-IP APM| 11.0.0 - 11.6.0
10.1.0 - 10.2.4| 12.0.0
11.5.4
11.6.0 HF6
11.5.3 HF2
11.4.1 HF10
11.2.1 HF15| Severe| Data plane: Authenticating users with an access policy on-demand certificate agent
Client SSL profile: Client Authentication set to 'Require' or 'Request'**
Server SSL profile: Default configuration and SSL Forward Proxy configuration

Control plane: Apache: Only when configured for client authentication
BIG-IP ASM| 11.0.0 - 11.6.0
10.0.0 - 10.2.4| 12.0.0
11.5.4
11.6.0 HF6
11.5.3 HF2
11.4.1 HF10
11.2.1 HF15| Severe| Data plane:
Client SSL profile: Client Authentication set to 'Require' or 'Request'

Server SSL profile: Default configuration and SSL Forward Proxy configuration
Control plane:
Apache: Only when configured for client authentication

BIG-IP DNS| None| 12.0.0| Not Vulnerable| None
BIG-IP Edge Gateway| 11.0.0 - 11.3.0
10.1.0 - 10.2.4| 11.2.1 HF15| Severe| Data plane:
Client SSL profile: Client Authentication set to 'Require' or 'Request'
Server SSL profile: Default configuration and SSL Forward Proxy configuration
Control plane:
Apache: Only when configured for client authentication
BIG-IP GTM| 11.0.0 - 11.6.0
10.0.0 - 10.2.4| 11.6.0 HF6
11.5.4
11.5.3 HF2
11.4.1 HF10
11.2.1 HF15| Severe| Control plane:
Apache: Only when configured for client authentication

11.5.0 - 11.6.0
11.1.0| 11.6.0 HF6
11.5.4
11.5.3 HF2
11.4.1 HF10
11.2.0 - 11.4.0
10.1.0 - 10.2.4| Low| Control plane:
gtmd: When acting as a client to peer systems
big3d: When acting as a server to peer systems
BIG-IP Link Controller| 11.0.0 - 11.6.0
10.0.0 - 10.2.4| 12.0.0
11.5.4
11.6.0 HF6
11.5.3 HF2
11.4.1 HF10
11.2.1 HF15| Severe| Control plane:
Apache: Only when configured for client authentication*
BIG-IP PEM| 11.3.0 - 11.6.0| 12.0.0
11.5.4
11.6.0 HF6
11.5.3 HF2
11.4.1 HF10| Severe| Data plane:
Client SSL profile: Client Authentication set to 'Require' or 'Request'

Server SSL profile: Default configuration and SSL Forward Proxy configuration
Control plane:
Apache: Only when configured for client authentication
BIG-IP PSM| 11.0.0 - 11.4.1
10.0.0 - 10.2.4| 11.4.1 HF10
11.2.1 HF15| Severe| Data plane:
Client SSL profile: Client Authentication set to 'Require' or 'Request'

Server SSL profile: Default configuration and SSL Forward Proxy configuration
Control plane:
Apache: Only when configured for client authentication

BIG-IP WebAccelerator| 11.0.0 - 11.3.0
10.0.0 - 10.2.4| 11.2.1 HF15| Severe| Data plane:
Client SSL profile: Client Authentication set to 'Require' or 'Request'
Server SSL profile: Default configuration and SSL Forward Proxy configuration
Control plane:
Apache: Only when configured for client authentication*
BIG-IP WOM| 11.0.0 - 11.3.0
10.0.0 - 10.2.4| 11.2.1 HF15| Severe| Data plane:
Client SSL profile: Client Authentication set to 'Require' or 'Request'

Server SSL profile: Default configuration and SSL Forward Proxy configuration
Control plane:
Apache: Only when configured for client authentication*
ARX| 6.0.0 - 6.4.0| None| Medium| GUI
Enterprise Manager| 3.0.0 - 3.1.1 HF4
2.1.0 - 2.3.0| 3.1.1 HF5| Severe| OpenSSL
FirePass| None| 7.0.0
6.0.0 - 6.1.0| Not Vulnerable| None
BIG-IQ Cloud| 4.0.0 - 4.5.0| 4.5.0 HF3| Severe| OpenSSL
BIG-IQ Device| 4.2.0 - 4.5.0| 4.5.0 HF3| Severe| OpenSSL
BIG-IQ Security| 4.0.0 - 4.5.0| 4.5.0 HF3| Severe| OpenSSL
BIG-IQ ADC| 4.5.0| 4.5.0 HF3| Severe| OpenSSL
LineRate| None| 2.5.0 - 2.6.0| Not Vulnerable| None
F5 WebSafe| None| 1.0.0| Not Vulnerable| None
Traffix SDC| None| 4.0.0 - 4.1.0
3.3.2 - 3.5.1| Not Vulnerable| None

*Apache is not configured to support client authentication, by default, on the BIG-IP system.

**The Client Authentication setting of "ignore" does not expose the vulnerability.

*** BIG-IP Edge Client-initiated connections are vulnerable only when connecting to a malicious server that is representing itself as a BIG-IP APM system.

iOS devices using the BIG-IP Edge Client 2.0.5 or 2.0.6 are vulnerable in the described scenario.
Android devices using any version of the BIG-IP Edge Client are vulnerable in the described scenario.
Windows phone devices using the BIG-IP Edge Client are not vulnerable, as OpenSSL is not used.

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in K4602: Overview of the F5 security vulnerability response policy.

To mitigate this vulnerability for the BIG-IP system, you should be aware of the following: