Important: For the hotfixes noted previously, the included version of OpenSSL has not been changed. F5 has patched the existing version of OpenSSL to resolve this vulnerability. As a result, on a patched BIG-IP system, the OpenSSL version is still OpenSSL 1.0.1e-fips. For more information about installed hotfix versions, refer to SOL13123: Managing BIG-IP product hotfixes (11.x).
BIG-IP Edge Client fixes
This issue has been fixed for BIG-IP Edge Clients for Windows, Mac OS, and Linux in BIG-IP APM 11.5.1 HF2, and 11.5.0 HF3. This issue has also been fixed for BIG-IP Edge Clients for Windows, Mac OS, and Linux in an engineering hotfix in other BIG-IP APM versions. You can obtain the engineering hotfix by contacting F5 Technical Support and referencing this article number and the associated ID number. Note that engineering hotfixes are intended to resolve a specific software issue until a suitable minor release, maintenance release, or cumulative hotfix rollup release is available that includes the software fix. For more information, refer to SOL8986: F5 software lifecycle policy.
You can eliminate this vulnerability by running a version listed in the Versions known to be not vulnerable column. If the Versions known to be not vulnerable column does not list a version that is higher than the version you are running, then no upgrade candidate currently exists.
Upgrading to a version known to be not vulnerable, or taking steps to mitigate this vulnerability, does not eliminate possible damage that may have already occurred as a result of this vulnerability. After upgrading to a version that is known to be not vulnerable, consider the following components that may have been compromised by this vulnerability:
SSL profile certificate/key pairs
The BIG-IP SSL profiles may reference SSL certificate/key pairs that were compromised. For information about creating new SSL certificate/key pairs for SSL profiles, refer to the following articles:
SOL14534: Creating SSL certificates and keys with OpenSSL (11.x)
SOL13579: Generating new default certificate and key pairs for BIG-IP SSL profiles
BIG-IP device certificate/key pairs
The BIG-IP system may have a device certificate/key pair that was compromised. For information about creating new SSL certificate/key pairs, refer to the following articles:
Important: After you generate a new device certificate and private key pair, you will need to re-establish device trusts. In addition, the device certificates are used for GTM sync groups and Enterprise Manager monitoring. As a result, you will need to recreate the GTM sync groups and rediscover devices managed by Enterprise Manager.
CMI certificate/key pairs
The BIG-IP system may have a CMI certificate/key pair (used for device group communication and synchronization) that was compromised. To regenerate the CMI certificate/key pairs on devices in a device group, and rebuild the device trust, perform the following procedure:
Impact of procedure: F5 recommends that you perform this procedure during a maintenance window. This procedure causes the current device to lose connectivity with all other BIG-IP devices. Depending on the device group and traffic group configuration, the connectivity loss may result in an unintentional active-active condition that causes a traffic disruption. To prevent a standby device from going active, set the standby device in the device group to Force Offline before performing the procedure. Standby devices that were set to Force Offline should be set to Release Offline after performing the procedure.
Repeat this procedure for each device in the device group.
After you complete the device trust reset on all devices, set up the device trust by performing the procedures described in the following articles:
The big3d process
The BIG-IP system may have a vulnerable version of the big3d process under the following conditions:
Affected big3d versions
The following big3d versions are affected by this vulnerability:
big3d version 188.8.131.52.0.221 for Linux
big3d version 184.108.40.206.0.227 for Linux
big3d version 220.127.116.11.0.110 for Linux
For information about checking the big3d version currently installed on the system and installing updated big3d versions on managed systems, refer to the following article:
BIG-IP maintenance and user passwords
The maintenance and user passwords used to access the BIG-IP system may have been compromised. For information about changing user passwords, refer to the following documentation:
Mitigating this vulnerability
To mitigate this vulnerability, you should consider the following recommendations:
If SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles:
Important: The following DevCentral article contains additional information about using iRules to assist in mitigating this vulnerability when terminating TLS traffic on back-end servers. F5 does not officially support the iRules in the following article, and information in the article does not represent a fix for the vulnerability. * DevCentral article: OpenSSL HeartBleed, CVE-2014-0160 * SOL14783: Overview of the Client SSL profile (11.x) * SOL12463: Overview of F5 Edge products * SOL13757: BIG-IP Edge Client version matrix * SOL9970: Subscribing to email notifications regarding F5 products * SOL9957: Creating a custom RSS feed to view new and updated documents * SOL4602: Overview of the F5 security vulnerability response policy * SOL4918: Overview of the F5 critical issue hotfix policy * SOL167: Downloading software and firmware from F5 * SOL13123: Managing BIG-IP product hotfixes (11.x) * SOL10025: Managing BIG-IP product hotfixes (10.x) * SOL9502: BIG-IP hotfix matrix * SOL10322: FirePass hotfix matrix