1 If you are planning to upgrade to BIG-IP APM 11.5.1 HF6 to mitigate this issue, you should instead upgrade to 11.5.1 HF7 to avoid an issue specific to BIG-IP APM. For more information, refer to SOL15914: The tmm process may restart and produce a core file after BIG-IP APM systems are upgraded.
Vulnerability Recommended Actions
If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.
To mitigate this vulnerability for virtual servers, you can disable all TLS1 protocols in the SSL profile. To do so, perform the following procedure:
Impact of procedure: The following procedure should not have a negative impact on your system.
For Client SSL profiles, navigate to Local Traffic > Profiles > SSL > Client.
To mitigate this vulnerability for the Configuration utility, you can disable all TLS1 protocols for httpd. To do so, perform the following procedure:
Impact of procedure:Â Some browsers, such as Mozilla Firefox, may fail to connect to the Configuration utility with TLS1 ciphers disabled.Â Â
list /sys httpd ssl-ciphersuite
For example, the BIG-IP 11.5.1 system displays the following cipher string:
modify /sys httpd ssl-ciphersuite 'ALL:!ADH:!EXPORT:!eNULL:!MD5:!DES:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:!TLSv1'
save /sys config
restart /sys service httpd