OpenSSL vulnerability CVE-2016-2178

2016-07-15T02:43:00
ID F5:K53084033
Type f5
Reporter f5
Modified 2018-04-25T21:04:00

Description

F5 Product Development has assigned IDs 598002, 600189, 600198, and 600205 (BIG-IP), ID 600379 (BIG-IQ), ID 611336 (F5 iWorkflow), ID 600381 (Enterprise Manager), LRS-60816 (LineRate), ID 528809 (FirePass), and ID 410742 (ARX) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H53084033, H53084033-1, and H53084033-2 on the Diagnostics > Identified > Low page.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.

Product | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature
---|---|---|---|---
BIG-IP LTM | 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5
11.2.1
10.2.1 - 10.2.4 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6 | Low | Data plane:
SSL profiles and all other TLS/SSL functionality provided by TMM1

Control plane:
HTTPS monitors, Configuration utility, OpenSSL, and OpenSSH2
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.5 | 13.0.0
12.1.2 HF1 - 12.1.3
11.6.1 HF2 - 11.6.2
11.5.6 | Low | iAppsLX and f5-rest-node
13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5
11.2.1
10.2.1 - 10.2.4 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6
| Low | big3d
BIG-IP AAM | 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6 | Low | Data plane:
SSL profiles and all other TLS/SSL functionality provided by TMM1

Control plane:
HTTPS monitors, Configuration utility, OpenSSL, and OpenSSH2
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.5 | 13.0.0
12.1.2 HF1 - 12.1.3
11.6.1 HF2 - 11.6.2
11.5.6 | Low | iAppsLX and f5-rest-node
13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6 | Low | big3d
BIG-IP AFM | 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6 | Low | Data plane:
SSL profiles and all other TLS/SSL functionality provided by TMM1

Control plane:
HTTPS monitors, Configuration utility, OpenSSL, and OpenSSH2
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.5 | 13.0.0
12.1.2 HF1 - 12.1.3
11.6.1 HF2 - 11.6.2
11.5.6 | Low | iAppsLX and f5-rest-node
13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6 | Low | big3d
BIG-IP Analytics | 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5
11.2.1 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6 | Low | Data plane:
SSL profiles and all other TLS/SSL functionality provided by TMM1

Control plane:
HTTPS monitors, Configuration utility, OpenSSL, and OpenSSH2
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.5 | 13.0.0
12.1.2 HF1 - 12.1.3
11.6.1 HF2 - 11.6.2
11.5.6 | Low | iAppsLX and f5-rest-node
13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5
11.2.1 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6 | Low | big3d
BIG-IP APM | 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5
11.2.1
10.2.1 - 10.2.4 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6 | Low | Data plane:
SSL profiles and all other TLS/SSL functionality provided by TMM1

Control plane:
HTTPS monitors, Configuration utility, OpenSSL, and OpenSSH2
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.5 | 13.0.0
12.1.2 HF1 - 12.1.3
11.6.1 HF2 - 11.6.2
11.5.6 | Low | iAppsLX and f5-rest-node
13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5
11.2.1
10.2.1 - 10.2.4 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6 | Low | big3d
BIG-IP ASM | 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5
11.2.1
10.2.1 - 10.2.4 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6 | Low | Data plane:
SSL profiles and all other TLS/SSL functionality provided by TMM1

Control plane:
HTTPS monitors, Configuration utility, OpenSSL, and OpenSSH2
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.5
| 13.0.0
12.1.2 HF1 - 12.1.3
11.6.1 HF2 - 11.6.2
11.5.6 | Low | iAppsLX and f5-rest-node
13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5
11.2.1
10.2.1 - 10.2.4 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6 | Low | big3d
BIG-IP DNS | 13.0.0
12.0.0 - 12.1.2 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3 | Low | Data plane:
SSL profiles and all other TLS/SSL functionality provided by TMM1

Control plane:
HTTPS monitors, Configuration utility, OpenSSL, and OpenSSH2
12.0.0 - 12.1.2 | 13.0.0
12.1.2 HF1 - 12.1.3 | Low | iAppsLX and f5-rest-node
13.0.0
12.0.0 - 12.1.2 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3 | Low | big3d
BIG-IP Edge Gateway | 11.2.1
10.2.1 - 10.2.4 | None | Low | Data plane:
SSL profiles and all other TLS/SSL functionality provided by TMM1

Control plane:
HTTPS monitors, Configuration utility, f5-rest-node, big3d, OpenSSL, and OpenSSH2
BIG-IP GTM | 11.6.0 - 11.6.1
11.4.0 - 11.5.5
11.2.1
10.2.1 - 10.2.4 | 11.6.2
11.5.6 | Low | Data plane:
SSL profiles and all other TLS/SSL functionality provided by TMM1

Control plane:
HTTPS monitors, Configuration utility, OpenSSL, and OpenSSH2
11.6.0 - 11.6.1
11.5.0 - 11.5.5 | 11.6.1 HF2 - 11.6.2
11.5.6 | Low | iAppsLX and f5-rest-node
11.6.0 - 11.6.1
11.4.0 - 11.5.5
11.2.1
10.2.1 - 10.2.4 | 11.6.2
11.5.6 | Low | big3d
BIG-IP Link Controller | 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5
11.2.1
10.2.1 - 10.2.4 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6 | Low | Data plane:
SSL profiles and all other TLS/SSL functionality provided by TMM1

Control plane:
HTTPS monitors, Configuration utility, OpenSSL, and OpenSSH2
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.5 | 13.0.0
12.1.2 HF1 - 12.1.3
11.6.1 HF2 - 11.6.2
11.5.6 | Low | iAppsLX and f5-rest-node
13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5
11.2.1
10.2.1 - 10.2.4 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6 | Low | big3d
BIG-IP PEM | 13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6 | Low | Data plane:
SSL profiles and all other TLS/SSL functionality provided by TMM1

Control plane:
HTTPS monitors, Configuration utility, OpenSSL, and OpenSSH2
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.5 | 13.0.0
12.1.2 HF1 - 12.1.3
11.6.1 HF2 - 11.6.2
11.5.6 | Low | iAppsLX and f5-rest-node
13.0.0
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.4.0 - 11.5.5 | 13.0.0 HF1 - 13.1.0
12.1.2 HF1 - 12.1.3
11.6.2
11.5.6 | Low | big3d
BIG-IP PSM | 11.4.0 - 11.4.1
10.2.1 - 10.2.4 | None | Low | Data plane:
SSL profiles and all other TLS/SSL functionality provided by TMM1

Control plane:
HTTPS monitors, Configuration utility, f5-rest-node, big3d, OpenSSL, and OpenSSH2
BIG-IP WebAccelerator | 11.2.1
10.2.1 - 10.2.4 | None | Low | Data plane:
SSL profiles and all other TLS/SSL functionality provided by TMM1

Control plane:
HTTPS monitors, Configuration utility, f5-rest-node, big3d, OpenSSL, and OpenSSH2
BIG-IP WOM | 11.2.1
10.2.1 - 10.2.4 | None | Low | Data plane:
SSL profiles and all other TLS/SSL functionality provided by TMM1

Control plane:
HTTPS monitors, Configuration utility, f5-rest-node, big3d, OpenSSL, and OpenSSH2
ARX | 6.2.0 - 6.4.0 | None | Low | OpenSSL
Enterprise Manager | 3.1.1 | None | Low | OpenSSH, HTTPD, big3d
FirePass | 7.0.0 | None | Low | OpenSSL
BIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Low | OpenSSH, Nginx, big3d
BIG-IQ Device | 4.2.0 - 4.5.0 | None | Low | OpenSSH, Nginx, big3d
BIG-IQ Security | 4.0.0 - 4.5.0 | None | Low | OpenSSH, Nginx, big3d
BIG-IQ ADC | 4.5.0 | None | Low | OpenSSH, Nginx, big3d
BIG-IQ Centralized Management | 5.0.0 - 5.4.0 | None | Low | OpenSSH, Nginx, big3d
BIG-IQ Cloud and Orchestration | 1.0.0 | None | Low | OpenSSH, Nginx, big3d
F5 iWorkflow | 2.0.0 - 2.3.0 | None | Low | OpenSSH, f5-rest-node, OpenSSL
LineRate | 2.5.0 - 2.6.1 | None | Low | OpenSSL (SSL profiles, NodeJS when using SSL, REST API), OpenSSH
F5 MobileSafe | None | 1.0.0 | Not vulnerable | None
F5 WebSafe | 1.0.0 | None | Low | Data plane:
SSL profiles and all other TLS/SSL functionality provided by TMM1

Control plane:
HTTPS monitors, Configuration utility, f5-rest-node, iAppsLX, OpenSSL, and OpenSSH2
Traffix SDC | None | 5.0.0
4.0.0 - 4.4.0 | Not vulnerable | None

1 Only BIG-IP Virtual Edition (VE) is affected for these features/components, and only if they are configured to use DSA signatures. By default, DSA keys are not used on the BIG-IP system.

2 These features/components are vulnerable only when configured with DSA keys. By default, DSA keys are not used on the BIG-IP system.

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

Mitigation

BIG-IP

To mitigate this vulnerability, you can avoid using DSA keys on the affected system.

LineRate

To mitigate this vulnerability, you can avoid using DSA ciphers on the affected system.