4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.023 Low
EPSS
Percentile
88.4%
However, these product versions use a version of OpenSSL that is affected by this vulnerability when the OpenSSL version is compiled and configured differently than the way F5 compiles and configures it. As a result, Nessus or other vulnerability scanners may incorrectly report these listed product versions as vulnerable to CVE-2008-7270. Nessus plugin 51892 looks beyond the banner string and actually verifies the behavior. While the plugin shows that the client can change the cipher, the client cannot change it to a disallowed cipher.
Vulnerability description
OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.
Information about this advisory is available at the following location:
Note: This link takes you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge.
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-7270>