SOL12853 - OpenSSL vulnerability CVE-2008-7270

• F5 Product Development has determined that these specific product versions are not vulnerable to the OpenSSL session cache issue indicated by CVE-2008-7270. While these product versions may allow a client to change the ciphersuite on a subsequent connection, the system allows the client to change to only a cipher that the server has enabled. F5 Product Development has declared that this is intended behavior and that the behavior does not introduce a security implication.

However, these product versions use a version of OpenSSL that is affected by this vulnerability when the OpenSSL version is compiled and configured differently than the way F5 compiles and configures it. As a result, Nessus or other vulnerability scanners may incorrectly report these listed product versions as vulnerable to CVE-2008-7270. Nessus plugin 51892 looks beyond the banner string and actually verifies the behavior. While the plugin shows that the client can change the cipher, the client cannot change it to a disallowed cipher.

Vulnerability description

OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.

Information about this advisory is available at the following location:

Note: This link takes you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge.

<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7270&gt;