F5F5:K5533K5533 : Potential protocol version rollback vulnerability in OpenSSL - CVE-2005-2969
5.6 Medium
AI Score
Confidence
High
Security Advisory Description
Note: For information about signing up to receive security notice updates from F5, refer to K9970: Subscribing to email notifications regarding F5 products.
Note: Versions that are not listed in this Solution have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5 security vulnerability response policy.
F5 products and versions that have been evaluated for this Security Advisory
| Product | Affected | Not Affected |
|---|---|---|
| BIG-IP LTM | 9.0.0 - 9.1.0 | |
| 9.2.0 | 9.1.1 - 9.1.3 | |
| 9.2.2 - 9.2.5 | ||
| 9.3.x | ||
| 9.4.x | ||
| 9.6.x | ||
| 10.x | ||
| 11.x | ||
| BIG-IP GTM | None | 9.2.2 - 9.2.5 |
| 9.3.x | ||
| 9.4.x | ||
| 10.x | ||
| 11.x | ||
| BIG-IP ASM | 9.2.0 | 9.2.2 - 9.2.5 |
| 9.3.x | ||
| 9.4.x | ||
| 10.x | ||
| 11.x | ||
| BIG-IP Link Controller | None | 9.2.2 - 9.2.5 |
| 9.3.x | ||
| 9.4.x | ||
| 10.x | ||
| 11.x | ||
| BIG-IP WebAccelerator | None | 9.4.x |
| 10.x | ||
| 11.x | ||
| BIG-IP PSM | None | 9.4.x |
| 10.x | ||
| 11.x | ||
| BIG-IP WAN Optimization | None | 10.x |
| 11.x | ||
| BIG-IP APM | None | 10.x |
| 11.x | ||
| BIG-IP Edge Gateway | None | 10.x |
| 11.x | ||
| BIG-IP Analytics | None | 11.x |
| BIG-IP AFM | None | 11.x |
| BIG-IP PEM | None | 11.x |
| FirePass | 3.x | |
| 4.x | ||
| 5.x | 6.x | |
| 7.x | ||
| Enterprise Manager | None | 1.2.0 - 1.8.0 |
| 2.x | ||
| 3.x |
It is possible that customers using non-default SSL options could be exposed to this vulnerability in the BIG-IP LTM Configuration utility, SSL terminating virtual servers, and bundled utilities.
F5 tracked this problem as CR55070, CR55145, CR55203, CR55204, CR55283, CR55426, CR55588, and CR63465, and it was fixed in BIG-IP version 9.1.1, BIG-IP version 9.2.2, and FirePass version 6.0.0. For information about upgrading, refer to the release notes for your product and version.
Obtaining and installing patches
BIG-IP LTM version 9.0.4
To download and install the patch, perform the following steps:
-
From the F5 Downloads page, download the Hotfix-BIG-IP-9.0.4-CR55070.im file to the**/var/tmp** directory on the BIG-IP LTM system.
-
Install the patch by typing the following command:
im Hotfix-BIG-IP-9.0.4-CR55070.im
BIG-IP LTM version 9.0.5
To download and install the patch, perform the following steps:
-
From the F5 Downloads page, download the Hotfix-BIG-IP-9.0.5-CR55070.im file to the**/var/tmp** directory on the BIG-IP LTM system.
-
Install the patch by typing the following command:
im Hotfix-BIG-IP-9.0.5-CR55070.im
BIG-IP LTM version 9.1.0
To download and install the patch, perform the following steps:
-
From the F5 Downloads page, download the Hotfix-BIG-IP-9.1.0-CR55070.im file to the**/var/tmp** directory on the BIG-IP LTM system.
-
Install the patch by typing the following command:
im Hotfix-BIG-IP-9.1.0-CR55070.im
BIG-IP LTM version 9.2.0
To download and install the patch, perform the following steps:
-
From the F5 Downloads page, download the Hotfix-BIG-IP-9.2.0-CR55070.im file to the**/var/tmp** directory on the BIG-IP LTM system.
-
Install the patch by typing the following command:
im Hotfix-BIG-IP-9.2.0-CR55070.im
Workarounds
FirePass versions 5.0.0 through 5.5.1
To protect FirePass against the possibility of a protocol version rollback attack, disable all protocols weaker than SSLv3/TLS using the following procedure:
-
Log in to the FirePass Administrative Console.
-
In the main navigation pane, select Device Management.
-
In the upper navigation pane, select Security.
-
In the sub-menu, select User Access Security.
-
Select the Accept only SSLv3 and TLS protocols (maximize security) check box.
-
Click the Update button.
Related
