SOL15564 - TLS vulnerability CVE-2014-3511

1 If you are planning to upgrade to BIG-IP APM 11.5.1 HF6 to mitigate this issue, you should instead upgrade to 11.5.1 HF7 to avoid an issue specific to BIG-IP APM. For more information, refer to SOL15914: The tmm process may restart and produce a core file after BIG-IP APM systems are upgraded.

Vulnerability Recommended Actions

BIG-IP 11.x

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

To mitigate this vulnerability for virtual servers, you can disable all TLS1 protocols in the SSL profile. To do so, perform the following procedure:

Impact of procedure: The following procedure should not have a negative impact on your system.

1. Log in to the Configuration utility as the administrative user.
2. For Server SSL profiles, navigate to Local Traffic >Profiles>SSL>Server.

For Client SSL profiles, navigate to Local Traffic >** Profiles** >SSL>Client.

3. Open the SSL Server profile you want to modify.
4. Under Options Listin theAvailable Ciphers, highlight theNoTLSv1 option and clickEnable.
5. To complete the change, click Update.
6. Repeat this procedure for all Server and Client SSL profiles.

To mitigate this vulnerability for the Configuration utility, you can disable all TLS1 protocols for** httpd**. To do so, perform the following procedure:

**Impact of procedure:** Some browsers, such as Mozilla Firefox, may fail to connect to the Configuration utility with TLS1 ciphers disabled. Â

1. Log in to the Traffic Management Shell (tmsh) by typing the following command:

tmsh

2. Before you change the SSL cipher string, you should review the existing string for your specific BIG-IP version. To list the currently configured cipher string, type the following command:

list /sys httpd ssl-ciphersuite

For example, the BIG-IP 11.5.1 system displays the following cipher string:

ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2

3. To restrict Configuration utility access from clients using TLS1, type the following command with the !TLSv1cipher exclusion appended:

modify /sys httpd ssl-ciphersuite ‘ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:!TLSv1’

4. Save the configuration change by typing the following command:

save /sys config

5. Restart the httpd process by typing the following command:

restart /sys service httpd

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4602: Overview of the F5 security vulnerability response policy
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5
• SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)