OpenSSL vulnerability CVE-2016-2107

2016-05-07T03:39:00
ID F5:K93600123
Type f5
Reporter f5
Modified 2018-04-20T21:49:00

Description

F5 Product Development has assigned IDs 591042, 591325, 591327, 591328, and 591329 (BIG-IP), ID 594024 (BIG-IQ and F5 iWorkflow), ID 594030 (Enterprise Manager), ID 500324 (ARX), and LRS-60732 (LineRate) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H591062-2 on the Diagnostics > Identified > Medium page.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.

Product | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature
---|---|---|---|---
BIG-IP LTM | 12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1
10.2.1 - 10.2.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1
10.2.1 - 10.2.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.4 | 13.0.0
12.1.2 HF1
11.6.1 HF1
11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node)
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1
10.2.1 - 10.2.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Big3D1
BIG-IP AAM | 12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.4 | 13.0.0
12.1.2 HF1
11.6.1 HF1
11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node)
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Big3D1
BIG-IP AFM | 12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.4 | 13.0.0
12.1.2 HF1
11.6.1 HF1
11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node)
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Big3D1
BIG-IP Analytics | 12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.4 | 13.0.0
12.1.2 HF1
11.6.1 HF1
11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node)
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Big3D1
BIG-IP APM | 12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1
10.2.1 - 10.2.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1
10.2.1 - 10.2.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.4 | 13.0.0
12.1.2 HF1
11.6.1 HF1
11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node)
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1
10.2.1 - 10.2.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Big3D1
11.4.0 - 11.6.1
11.2.1
10.2.1 - 10.2.4 | 13.0.0
12.0.0 - 12.1.2
11.6.1 HF2 | Medium | Oracle SDK for OAM
BIG-IP ASM | 12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1
10.2.1 - 10.2.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1
10.2.1 - 10.2.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.4 | 13.0.0
12.1.2 HF1
11.6.1 HF1
11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node)
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1
10.2.1 - 10.2.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Big3D1
BIG-IP DNS | 12.0.0 - 12.1.1 | 13.0.0
12.1.2 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX
12.0.0 - 12.1.1 | 13.0.0
12.1.2 | Medium | Data Plane1: COMPAT SSL/TLS ciphers
12.0.0 - 12.1.2 | 13.0.0
12.1.2 HF1 | Medium | iAppsLX1 (f5-rest-node)
12.0.0 - 12.1.1 | 13.0.0
12.1.2 | Medium | Big3D1
BIG-IP Edge Gateway | 11.2.1
10.2.1 - 10.2.4 | None | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX
11.2.1
10.2.1 - 10.2.4 | None | Medium | Data Plane1: COMPAT SSL/TLS ciphers
BIG-IP GTM | 11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1
10.2.1 - 10.2.4 | 11.6.1 HF1
11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1
10.2.1 - 10.2.4 | 11.6.1 HF1
11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers
11.6.0 - 11.6.1
11.5.0 - 11.5.4 | 11.6.1 HF1
11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node)
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1
10.2.1 - 10.2.4 | 11.6.1 HF1
11.5.4 HF3 | Medium | Big3D1
BIG-IP Link Controller | 12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1
10.2.1 - 10.2.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1
10.2.1 - 10.2.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.4 | 13.0.0
12.1.2 HF1
11.6.1 HF1
11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node)
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4
11.2.1
10.2.1 - 10.2.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Big3D1
BIG-IP PEM | 12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Data Plane1: COMPAT SSL/TLS ciphers
12.0.0 - 12.1.2
11.6.0 - 11.6.1
11.5.0 - 11.5.4 | 13.0.0
12.1.2 HF1
11.6.1 HF1
11.5.4 HF3 | Medium | iAppsLX1 (f5-rest-node)
12.0.0 - 12.1.1
11.6.0 - 11.6.1
11.4.0 - 11.5.4 | 13.0.0
12.1.2
11.6.1 HF1
11.5.4 HF3 | Medium | Big3D1
BIG-IP PSM | 11.4.0 - 11.4.1
11.2.1
10.2.1 - 10.2.4 | None | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX
11.4.0 - 11.4.1
11.2.1
10.2.1 - 10.2.4 | None | Medium | Data Plane1: COMPAT SSL/TLS ciphers
11.4.0 - 11.4.1
11.2.1
10.2.1 - 10.2.4 | None | Medium | Big3D1
BIG-IP WebAccelerator | 11.2.1
10.2.1 - 10.2.4 | None | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX
11.2.1
10.2.1 - 10.2.4 | None | Medium | Data Plane1: COMPAT SSL/TLS ciphers
11.2.1
10.2.1 - 10.2.4 | None | Medium | Big3D1
BIG-IP WOM | 11.2.1
10.2.1 - 10.2.4 | None | Medium | Control Plane1: SSL/TLS ciphers, OpenSSL, OpenSSH, IPSec2, iRulesLX
11.2.1
10.2.1 - 10.2.4 | None | Medium | Data Plane1: COMPAT SSL/TLS ciphers
11.2.1
10.2.1 - 10.2.4 | None | Medium | Big3D1
ARX | 6.2.0 - 6.4.0 | None | Medium | OpenSSL (when accessing the ARX management IP)
Enterprise Manager | None | 3.1.1 | Not vulnerable | None
FirePass | None | 7.0.0 | Not vulnerable | None
BIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Medium | OpenSSL1
BIG-IQ Device | 4.2.0 - 4.5.0 | None | Medium | OpenSSL1
BIG-IQ Security | 4.0.0 - 4.5.0 | None | Medium | OpenSSL1
BIG-IQ ADC | 4.5.0 | None | Medium | OpenSSL1
BIG-IQ Centralized Management | 5.0.0
4.6.0 | 5.1.0 | Medium | OpenSSL1
BIG-IQ Cloud and Orchestration | 1.0.0 | None | Medium | OpenSSL1
F5 iWorkflow | 2.0.0 | 2.0.1 | Medium | OpenSSL1
LineRate | 2.2.0 - 2.6.1 | 2.0 - 2.1
1.6.3 | High | OpenSSL
F5 WebSafe | None | 1.0.0 | Not vulnerable | None
Traffix SDC | None | 4.0.0 - 4.4.0
3.3.2 - 3.5.1 | Not vulnerable | None

1 Only F5 platforms with AES-NI support in the CPU are vulnerable. Virtual Edition (VE) installations may or may not be vulnerable, depending on the underlying CPU and hypervisor support for AES-NI instructions. The following hardware platforms are vulnerable:

  • BIG-IP appliances: 2000s (C112), 2200s (C112), 4000s (C113), 4200v (C113), 5000s (C109), 5050s (C109), 5200v (C109), 5250v (C109), 5250v FIPS (C109), 7000s (D110), 7050s (D110), 7200v (D110), 7200v FIPS (D110), 7250v (D110), 10000s (D113), 10050s (D113), 10055s (D113), 10150s NEBS (D112), 10200v (D113), 10200v FIPS (D113), 10200v SSL (D113), 10250v (D113), 10255v (D113), 10350v (D112), 10350v NEBS (D112), 11050 NEBS (E102), and 12250v (D111)
  • VIPRION blades: B2250 (A112), B4300 (A108), and B4340N NEBS (A110)

2 IPsec is vulnerable only in phase 1 IKE (racoon), if configured to use AES-CBC.

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

BIG-IP

To mitigate this vulnerability, you should consider the following recommendations:

If SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles:

To mitigate this vulnerability for IPsec implementations, you should restrict access to the IPsec tunnel to minimize exposure, and/or consider using an IKE Phase 1 Algorithm other than AES to avoid the vulnerable code.

Impact of workaround: F5 recommends that you test any such changes in an appropriate environment.

To minimize risk, access to the management interface should be restricted to minimize exposure to control-plane daemons.

To confirm support for AES-NI, on any running platform, perform the following procedure:

  1. Log in to the BIG-IP command line.
  2. Determine CPU support for AES-NI instructions by typing the following command:

cat /proc/cpuinfo | grep '^flags' | grep aes

If nothing is returned, the CPU does not support AES-NI, and is therefore not vulnerable.

BIG-IQ/Enterprise Manager

To minimize risk, you should restrict access to the management interface to minimize exposure to control-plane daemons.

ARX

To mitigate this vulnerability, you should permit access to the ARX GUI only over a secure network.

LineRate

To mitigate this vulnerability, you can disable AES-NI processor support in the BIOS or hypervisor.

Impact of workaround: System performance will be negatively impacted by disabling this feature.