Note: For information about signing up to receive security notice updates from F5, refer to K9970: Subscribing to email notifications regarding F5 products.
Note: Versions that are not listed in this Solution have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5 security vulnerability response policy.
F5 products and versions that have been evaluated for this Security Advisory
Product | Affected | Not Affected
BIG-IP LTM | 9.0.0 - 9.1.2
9.2.0 - 9.2.3 | 9.1.3
9.2.4 - 9.2.5
BIG-IP GTM | 9.2.2 - 9.2.3 | 9.2.4 - 9.2.5
BIG-IP ASM | 9.2.0 - 9.2.3 | 9.2.4 - 9.2.5
BIG-IP Link Controller | 9.2.2 - 9.2.3 | 9.2.4 - 9.2.5
BIG-IP WebAccelerator | None | 9.4.x
BIG-IP PSM | None | 9.4.5 - 9.4.8
BIG-IP WAN Optimization | None | 10.x
BIG-IP APM | None | 10.x
BIG-IP Edge Gateway | None | 10.x
BIG-IP Analytics | None | 11.x
BIG-IP AFM | None | 11.x
| None | 11.x
FirePass | 5.4.2 - 5.5.1
6.0.0 | 5.5.2
6.0.1 - 6.0.3
Enterprise Manager | 1.0.0 - 1.2.0 | 1.2.1 - 1.8
This security advisory describes an OpenSSL signature vulnerability. Forged RSA signatures may be accepted during client certificate validations when the certificates are signed by certain Certificate Authority (CA). This flaw could potentially cause F5 products to accept maliciously crafted client certificates as valid. Customers using client certificate authentication are vulnerable.
Information about this advisory is available at the following locations:
F5 Product Development tracked this issue as CR69440 and it was fixed in BIG-IP LTM version 9.1.3. For information about upgrading, refer to the BIG-IP LTM release notes.
F5 Product Development tracked this issue as CR69463 and it was fixed in BIG-IP LTM, GTM, ASM and Link Controller version 9.2.4. For information about upgrading, refer to the LTM, GTM, ASM, or Link Controller release notes.
F5 Product Development tracked this issue as CR69441 and it was fixed in BIG-IP LTM, GTM, ASM and Link Controller version 9.4.0. For information about upgrading, refer to the LTM, GTM, ASM, or Link Controller release notes.
F5 Product Development tracked this issue as CR69489 and it was fixed in FirePass versions 5.5.2 and 6.0.1. For information about upgrading, refer to the FirePass release notes.
F5 Product Development tracked this issue as CR69465 and it was fixed in Enterprise Manager version 1.2.1. For information about upgrading, refer to the Enterprise Manager release notes.
Obtaining and installing patches
F5 Product Development has determined this to be a remotely exploitable vulnerability for BIG-IP LTM, BIG-IP GTM, BIG-IP Link Controller, 3-DNS, FirePass, and Enterprise Manager. F5 has made version-specific patches available that address the CRs for the BIG-IP LTM, BIG-IP GTM, BIG-IP Link Controller, 3-DNS, FirePass, and Enterprise Manager products. You can download these patches from the F5 Downloads page for the following products and versions:
Product | Version | Hotfix | Installation File
BIG-IP LTM, GTM,
and Link Controller | 9.1.0
9.2.3 | hotfix-cr69440 | Hotfix-BIG-IP-9.1.0-CR69440.im
3-DNS | 4.5.12
4.6.4 | hotfix-vu845620 | openssl-so_nx-1.0-6-BSD_OS-4.1.im
FirePass | 5.4.2
6.0.0 | hotfix-cr69489 | HF-55325-56696-65044-67295-69489-69510-1-5.42-ALL-0.tar.gz.enc
Enterprise Manager | 1.2.0 | hotfix-cr69465 | Hotfix-EM-1.2.0-CR69465.im
Note: For more information about installing the hotfixes listed above, refer to the readme file on the F5 Downloads site for your version-specific hotfix.
Important: The openssl-so_nx-1.0-6-BSD_OS-4.1.im patch supercedes the openssl-so_nx-1.0-7-BSD_OS-4.1.im patch. If the openssl-so_nx-1.0-7-BSD_OS-4.1.im patch has already been installed, you will need to use the -force option when installing the openssl-so_nx-1.0-6-BSD_OS-4.1.im patch.
For information about how to download software, refer to K167: Downloading software from F5.