SOL15461 - OpenSSL vulnerability CVE-2011-4619

Recommended Action

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists.

Note: SGC certificates are considered obsolete and are typically used only to support 128-bit SSL in browsers released before the year 2000.

BIG-IP 11.x

To mitigate this vulnerability on virtual servers, you can configure your SSL profile to use the NATIVE cipher suite. To do so, refer to SOL13171 referenced in the Supplemental Information section below. You may also avoid using SGC Certificates.

To mitigate this vulnerability in the BIG-IP Configuration utility you can avoid using SGC certificates.

BIG-IP 10.x

To mitigate this vulnerability on virtual servers, you can configure your SSL profile to use the NATIVE cipher suite. To do so, refer to SOL7815 referenced in the Supplemental Information section below. You may also avoid using SGC Certificates.

To mitigate this vulnerability in the BIG-IP Configuration utility you can avoid using SGC certificates.

**Enterprise Manager **

To mitigate this vulnerability in the Enterprise Manger Configuration utility you can avoid using SGC certificates.

ARX

To mitigate this vulnerability in the ARX GUI you can avoid using SGC certificates.

Supplemental Information

• SOL4949: Configuring BIG-IP LTM to use a Step-Up or Server Gated Cryptography (SGC) certificate
• SOL8802: Using SSL ciphers with BIG-IP Client SSL and Server SSL profiles
• SOL7815: Configuring the cipher strength for SSL profiles (9.x - 10.x)
• SOL13171: Configuring the cipher strength for SSL profiles (11.x)
• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4602: Overview of the F5 security vulnerability response policy
• SOL167: Downloading software and firmware from F5