SOL11503 - BIND 9 vulnerability CVE-2009-0265

BIND 9.6.0 and earlier does not properly check the return value from the OpenSSL EVP_VerifyFinal function, which allows remote attackers to bypass validation of the certificate chain via a malformed SSL/TLS signature.

Information about this advisory is available at the following locations:

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0265&gt;

F5 Product Development tracked this issue as CR114792 and and it was fixed in BIG-IP 10.0.1 and Enterprise Manager 2.0.0. For information about upgrading, refer to the BIG-IP LTM, ASM, GTM, PSM, Link Controller, WebAccelerator, APM, or WOM release notes.

Additionally, this issue was fixed in BIGIP-10.0.0-5514.0-HF2 which was released for BIG-IP 10.0.0. You may download this hotfix or later versions of the hotfix from the F5 Downloads site.

F5 Product Development is tracking this issue as ID 294064 (formerly CR114792) and CR115215 for WANJet, Enterprise Manager, FirePass and the BIG-IP 9.3, 9.4 and 9.6 software branches.

This is a similar vulnerability to CVE-2008-5077 and CVE-2009-0025. For information about CVE-2008-5077, refer to SOL9762: OpenSSL vulnerability - CVE-2008-5077. For information about CVE-2009-0025, refer to SOL9754: BIND 9 vulnerability CVE-2009-0025.

To view a list of the latest available hotfixes, refer to SOL9502: BIG-IP hotfix matrix.

For information about installing a hotfix, refer to SOL10025: Managing F5 product hotfixes for BIG-IP 10.x systems.

For information about the F5 hotfix policy, refer to SOL4918: Overview of F5 critical issue hotfix policy.