Lucene search

K
f5F5SOL15325
HistoryJun 05, 2014 - 12:00 a.m.

SOL15325 - OpenSSL vulnerability CVE-2014-0224

2014-06-0500:00:00
support.f5.com
156

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.974 High

EPSS

Percentile

99.9%

Client-side componentsProduct Versions known to be vulnerable Versions known to be not vulnerable Vulnerable component or feature
BIG-IP LTM 11.0.0 - 11.5.1
10.0.0 - 10.2.4 12.0.0
11.6.0
11.5.1 HF3
11.5.0 HF4
11.2.1 HF15 Host-initiated SSL connections
COMPAT SSL ciphers
BIG-IP AAM 11.4.0 - 11.5.1 12.0.0
11.6.0
11.5.1 HF3
11.5.0 HF4 Host-initiated SSL connections
COMPAT SSL ciphers
BIG-IP AFM 11.3.0 - 11.5.1 12.0.0
11.6.0
11.5.1 HF3
11.5.0 HF4 Host-initiated SSL connections
COMPAT SSL ciphers
BIG-IP Analytics 11.0.0 - 11.5.1 12.0.0
11.6.0
11.5.1 HF3
11.5.0 HF4
11.2.1 HF15 Host-initiated SSL connections
COMPAT SSL ciphers
BIG-IP APM 11.0.0 - 11.5.1
10.1.0 - 10.2.4 12.0.0
11.6.0
11.5.1 HF3
11.5.0 HF4
11.2.1 HF15 Host-initiated SSL connections
COMPAT SSL ciphers
BIG-IP ASM 11.0.0 - 11.5.1
10.0.0 - 10.2.4 12.0.0
11.6.0
11.5.1 HF3
11.5.0 HF4
11.2.1 HF15 Host-initiated SSL connections
COMPAT SSL ciphers
BIG-IP DNS None 12.0.0 None
BIG-IP Edge Gateway 11.0.0 - 11.3.0
10.1.0 - 10.2.4 11.2.1 HF15 Host-initiated SSL connections
COMPAT SSL ciphers
BIG-IP GTM 11.0.0 - 11.5.1
10.0.0 - 10.2.4 11.6.0
11.5.1 HF3
11.5.0 HF4
11.2.1 HF15 Host-initiated SSL connections
BIG-IP Link Controller 11.0.0 - 11.5.1
10.0.0 - 10.2.4 12.0.0
11.6.0
11.5.1 HF3
11.5.0 HF4
11.2.1 HF15 Host-initiated SSL connections
COMPAT SSL ciphers
BIG-IP PEM 11.3.0 - 11.5.1 11.5.1 HF3
11.5.0 HF4 Host-initiated SSL connections
COMPAT SSL ciphers
BIG-IP PSM 11.0.0 - 11.4.1
10.0.0 - 10.2.4 11.2.1 HF15 Host-initiated SSL connections
COMPAT SSL ciphers
BIG-IP WebAccelerator 11.0.0 - 11.3.0
10.0.0 - 10.2.4 11.2.1 HF15 Host-initiated SSL connections
COMPAT SSL ciphers
BIG-IP WOM 11.0.0 - 11.3.0
10.0.0 - 10.2.4 11.2.1 HF15 Host-initiated SSL connections
COMPAT SSL ciphers
ARX None 6.0.0 - 6.4.0 None
Enterprise Manager 2.0.0 - 2.3.0 None Host-initiated SSL connections
FirePass 7.0.0
6.0.0 - 6.1.0 None Host-initiated SSL connections
BIG-IQ Cloud 4.0.0 - 4.3.0 None Host-initiated SSL connections
BIG-IQ Device 4.2.0 - 4.3.0 None Host-initiated SSL connections
BIG-IQ Security 4.0.0 - 4.3.0 None Host-initiated SSL connections
LineRate 2.3.0 - 2.3.1
2.2.0 - 2.2.4
1.6.0 - 1.6.3 None Host-initiated SSL connections
BIG-IP Edge Clients for Linux 6035 - 7071 7101.2014.0612.*
7100.2014.0612.*
7091.2014.0612.*
7090.2014.0612.*
7080.2014.0624.* VPN
BIG-IP Edge Client for MAC OS X 6035 - 7071 7101.2014.0612.*
7100.2014.0612.*
7091.2014.0612.*
7090.2014.0612.*
7080.2014.0624.* VPN
BIG-IP Edge Client for Windows 7101.* - 7101.2014.0611.*
7100.* - 7100.2014.0611.*
7091.* - 7091.2014.0611.*
7090.* - 7090.2014.0611.*
7080.* - 7080.2014.0623.*
6035 - 7071 7101.2014.0612.1847
7100.2014.0612.1847
7091.2014.0612.1950
7090.2014.0612.1853
7080.2014.0624.2054 VPN (DTLS Only)
BIG-IP Edge Client for iOS 2.0.0 - 2.0.2
1.0.5 - 1.0.6 2.0.3 VPN
BIG-IP Edge Client for Android 2.0.1 - 2.0.4 2.0.5 VPN

Vulnerability Recommended Actions

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

Important: F5 has created an engineering hotfix to address this issue for FirePass 7.0. You can obtain the engineering hotfix by contacting F5 Technical Support and referencing this article number. For more information, refer to SOL8986: F5 software life cycle policy.

F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.

Mitigating this vulnerability

To mitigate this vulnerability, you should consider the following recommendations:

  • Consider denying access to the Configuration utility and using only the command line and** **Traffic Management Shell (tmsh) until the BIG-IP system is updated. If that is not possible, F5 recommends that you access the Configuration utility over only a secure network.

  • If SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles:

    • SOL13163: SSL ciphers supported on BIG-IP platforms (11.x - 12.x)
    • SOL13171: Configuring the cipher strength for SSL profiles (11.x)
    • SOL13187: COMPAT SSL ciphers are no longer included in standard cipher strings
  • Limit traffic between the BIG-IP system and pool members to trusted traffic.

  • Verify that servers with which the F5 device communicates (such as pool members) are not using vulnerable OpenSSL versions.

Supplemental Information

  • For more information about SSL profiles, refer to the following articles:

    • SOL14783: Overview of the Client SSL profile (11.x - 12.x)
    • SOL14806: Overview of the Server SSL profile (11.x - 12.x)
  • SOL9970: Subscribing to email notifications regarding F5 products

  • SOL9957: Creating a custom RSS feed to view new and updated document

  • SOL4918: Overview of the F5 critical issue hotfix policy

  • SOL167: Downloading software and firmware from F5

  • SOL17329: BIG-IP GTM name has changed to BIG-IP DNS

7.4 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

5.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:P/I:P/A:N

0.974 High

EPSS

Percentile

99.9%