SOL15702 - SSLv3 vulnerability CVE-2014-3566

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

• BIG-IP, BIG-IQ, and Enterprise Manager
• FirePass
• ARX
• LineRate

BIG-IP, BIG-IQ, and Enterprise Manager

SSL profiles

To mitigate this vulnerability in the SSL profile for the BIG-IP system, you can disable the SSLv3 protocol in the SSL profile by adding !SSLv3 to the cipher string. For details about how to add this, refer to the following articles:

• SOL13171: Configuring the cipher strength for SSL profiles (11.x)
• SOL7815: Configuring the cipher strength for SSL profiles (9.x - 10.x)

Configuration utility

To mitigate this vulnerability for the Configuration utility use the following options:

BIG-IP 11.5.0 – 11.6.0

For BIG-IP 11.5.0 – 11.6.0, you can disable the SSLv3 protocol for the Configuration utility by performing the following procedure:

Note: Feature enhancements allowing the use of this procedure have also been included in the following software versions: 11.4.1 HF6, 11.4.0 HF9, 11.2.1 HF13, and 10.2.4 HF10.

1. Log in to the Traffic Management Shell (tmsh) by typing the following command:

tmsh

2. Disable SSLv3 (and SSLv2) by typing the following command:

modify /sys httpd ssl-protocol “all -SSLv2 -SSLv3”

3. Save the configuration by typing the following command:

save /sys config

All BIG-IP versions

For all BIG-IP versions, F5 recommends that you expose the management access only on trusted networks.

BIG-IQ 4.4.0 and later

For BIG-IQ 4.4.0 and later, you can disable the SSLv3 protocol for the Configuration utility by performing the following procedure:

Impact of procedure: This procedure will restart thewebd process and temporarily disrupt traffic to the BIG-IQ system. You should perform this procedure during a maintenance window.

1. Log in to the BIG-IQ command line.
2. Back up a copy of the /etc/webd/webd.conf file by typing the following command:

cp -p /etc/webd/webd.conf /var/tmp/webd.conf.sol15702

3. Edit the /etc/webd/webd.conf file using a text editor of your choice.
4. Locate the following line in the /etc/webd/webd.conf file:

ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;

5. Remove SSLv2 and SSLv3 from this line. After removal, this line should appear as follows:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

6. Save the changes and exit the text editor.
7. Restart the webd process by typing the following command:

tmsh restart sys service webd

FirePass

Disabling SSLv3 for all FirePass interfaces

Impact of procedure: This procedure will restart services and prevent some connections to the FirePass system. You should perform this procedure during a maintenance window.

1. Log in to the FirePass Administrator interface.
2. Navigate to Device Management >** Security** >User Access Security.
3. Under SSL Protocol Versions clickAccept only TLS protocol (incompatible with some browsers).
4. Under SSL Ciphers Policy Enforcement, select the**Reject SSL connection when a non-compliant cipher is used by the client browser **check box.
5. To restart services, click “click here to restart FirePass Services.”
6. Click Restart.

ARX

Changing the ARX Manager GUI cipher string (6.2.0 and later)

To disable SSLv3 for the ARX Manager GUI, perform the following procedure:

Impact of procedure: Disabling SSLv3 may prevent some connections to the ARX Manager GUI.

1. Log in to the ARX Manager GUI.
2. Expand Maintenance.
3. Select Certificates.
4. Click the tab for SSL Ciphers.
5. Deselect all SSL ciphers.

LineRate

To mitigate this vulnerability in the SSL profile for the LineRate system, you can disable the SSLv3 protocol in the SSL profile by pre-pending !SSLv3 to the cipher-list. For details about how to add this, refer to the following article:

• CVE-2014-3566: Removing SSLv3 from LineRate

Note: A DevCentral login is required to access this content.

Supplemental Information

• SOL15882: TLS1.x padding vulnerability CVE-2014-8730

• SOL9970: Subscribing to email notifications regarding F5 products

• SOL4602: Overview of the F5 security vulnerability response policy

• SOL9957: Creating a custom RSS feed to view new and updated documents

• SOL4918: Overview of the F5 critical issue hotfix policy

• SOL167: Downloading software and firmware from F5

• SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems
  Note: A DevCentral login is required to access the following content.

• CVE-2014-3566 POODLE vs CVE-2014-8730 TLS POODLE

• CVE-2014-3566: Removing SSLv3 from BIG-IP

• iRule to stop SSLv3 connections

• POODLE and TLS_FALLBACK_SCSV deep dive

• SSLv3 POODLE mitigation recommendations