SOL11533 - OpenSSL vulnerability CVE-2010-0740

The ssl3_get_record function inssl/s3_pkt.c in OpenSSL 0.9.8f through 0.9.8m allows remote attackers to cause a denial of service (crash) via a malformed record in a TLS connection that triggers a NULL pointer de-reference, related to the minor version number.

Information about this advisory is available at the following location:

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0740&gt;

F5 Product Development tracked this issue as CR139154 and it was fixed in Enterprise Manager 2.1.0. For information about upgrading, refer to the Enterprise Manager release notes.

F5 Product Development tracked this issue as ID 38353 and it was fixed in ARX 5.2.0. For information about upgrading, refer to the ARX release notes.

F5 Product Development tracked this issue as CR139154, and it was fixed in BIG-IP 10.2.0. For information about upgrading, refer to the BIG-IP LTM, ASM, GTM, PSM, Link Controller, WebAccelerator, APM, WAN Optimization, or Edge Gateway release notes.

Additionally, this issue was fixed in BIGIP-10.1.0 HF1 issued for BIG-IP 10.1.0. You may download this hotfix or later versions of the hotfix from the F5 Downloads site.

To view a list of the latest available hotfixes, refer to SOL9502: BIG-IP hotfix matrix.

For information about the F5 hotfix policy, refer to SOL4918: Overview of F5 critical issue hotfix policy.

For information about managing F5 product hotfixes, refer to SOL10025: Managing F5 product hotfixes for BIG-IP 10.x systems.

For information about installing 10.x hotfixes on a partitioned system, refer to SOL9819: Installing a BIG-IP version 10.x hotfix on a partitioned system.** **