K8106 : OpenSSL SSL_get_shared_ciphers vulnerability CVE-2007-5135

Security Advisory Description

Note: For information about signing up to receive security notice updates from F5, refer to K9970: Subscribing to email notifications regarding F5 products.

Note: Versions that are not listed in this article have not been evaluated for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5 security vulnerability response policy.

F5 products and versions that have been evaluated for this Security Advisory

Product	Affected	Not Affected
BIG-IP LTM	9.1.3
9.3.0
9.4.2 - 9.4.4	9.0.0 - 9.1.3
9.2.x
9.3.1
9.4.5 - 9.4.8
9.6.x
10.x
11.x

9.0.0 - 9.1.2*
9.2.x*
9.4.0 - 9.4.1*
BIG-IP GTM| 9.3.0
9.4.2 - 9.4.4| 9.2.x
9.3.1
9.4.5 - 9.4.8
10.x
11.x

9.2.x*
9.4.0 - 9.4.1*
BIG-IP ASM| 9.3.0
9.4.2 - 9.4.4| 9.2.x
9.3.1
9.4.5 - 9.4.8
10.x
11.x

9.2.x*
9.4.0 - 9.4.1*
BIG-IP Link Controller| 9.3.0
9.4.2 - 9.4.4| 9.2.x
9.3.1
9.4.5 - 9.4.8
10.x
11.x

9.2.x*
9.4.0 - 9.4.1*
BIG-IP WebAccelerator| 9.4.2 - 9.4.4| 9.4.5 - 9.4.8
10.x
11.x

9.4.0 - 9.4.1*
BIG-IP PSM| None| 9.4.5 - 9.4.8
10.x
11.x
BIG-IP WAN Optimization| None| 10.x
11.x
BIG-IP APM| None| 10.x
11.x
BIG-IP Edge Gateway| None| 10.x
11.x
BIG-IP Analytics| None| 11.x
BIG-IP AFM| None| 11.x
BIG-IP PEM
| None| 11.x
FirePass| None| 3.x
4.x
5.x
6.x
7.x
Enterprise Manager| 1.4.0 - 1.4.1| 1.6.0 - 1.8.0
2.x
3.x

1.0.0 - 1.2.2*

• F5 Product Development has determined these products and versions are****notsubject to the vulnerability described in this security advisory. However, these products and versionsare subject to an earlier version of the vulnerability (CVE2006-3738) described in K6734: Local OpenSSL vulnerabilities VU#547300 and VU#386964, CAN-2006-3738, CAN-2006-2940, CAN-2006-2937, CAN-2006-4343.

Vulnerability description and product information

F5 Product Development has determined that the BIG-IP and Enterprise Manager products use a vulnerable version of OpenSSL; however, the vulnerable code is not used in either TMM or in Apache on the BIG-IP system. The vulnerability is considered to be a local vulnerability and cannot be exploited remotely.

F5 Product Development has determined that the FirePass product does not use the OpenSSL SSL_get_shared_ciphers functionality and is not vulnerable to the vulnerability described in this security advisory.

Information about this advisory is available at the following locations:

<https://vulners.com/cve/CVE-2007-5135&gt;

<http://www.openssl.org/news/secadv_20071012.txt&gt;

Note: The previous links take you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge.

F5 Product Development tracked this issue as CR87335 for the BIG-IP LTM, GTM, ASM, Link Controller and WebAccelerator version 9.3 software branch and it was fixed in version 9.3.1. For more information about upgrading, refer to the BIG-IP LTM, GTM, ASM, and Link Controller release notes.

F5 Product Development is tracked this issue as CR87358 for the BIG-IP LTM, GTM, ASM, Link Controller and WebAccelerator version 9.4 software branch and it was fixed in version 9.4.5. For information about upgrading, refer to the BIG-IP LTM, GTM, ASM, Link Controller and WebAccelerator release notes.

Additionally, this issue was fixed in Hotfix HF1 issued for BIG-IP 9.4.4. You may download this hotfix or later versions of the Hotfix from the F5 Downloads site.

F5 Product Development is tracked this issue as CR87358 for Enterprise Manager and it was fixed in version 1.6.0. For information about upgrading, refer to the Enterprise Manager release notes.

For information about downloading software, refer to K167: Downloading software and firmware from F5.

For information about the F5 hotfix policy, refer to K4918: Overview of the F5 critical issue hotfix policy.

For information about how to manage F5 product hotfixes, refer to K6845: Managing F5 product hotfixes.