However, these product versions use a version of OpenSSL that is affected by this vulnerability when the OpenSSL version is compiled and configured differently than the way F5 compiles and configures it. As a result, Nessus or other vulnerability scanners may incorrectly report these listed product versions as vulnerable to CVE-2008-7270. Nessus plugin 51892 looks beyond the banner string and actually verifies the behavior. While the plugin shows that the client can change the cipher, the client cannot change it to a disallowed cipher.
OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.
Information about this advisory is available at the following location:
Note: This link takes you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge.