3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.975 High
EPSS
Percentile
100.0%
Vulnerability Recommended Actions
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
BIG-IP, BIG-IQ, and Enterprise Manager
SSL profiles
To mitigate this vulnerability in the SSL profile for the BIG-IP system, you can disable the SSLv3 protocol in the SSL profile by adding !SSLv3 to the cipher string. For details about how to add this, refer to the following articles:
Configuration utility
To mitigate this vulnerability for the Configuration utility use the following options:
BIG-IP 11.5.0 â 11.6.0
For BIG-IP 11.5.0 â 11.6.0, you can disable the SSLv3 protocol for the Configuration utility by performing the following procedure:
Note: Feature enhancements allowing the use of this procedure have also been included in the following software versions: 11.4.1 HF6, 11.4.0 HF9, 11.2.1 HF13, and 10.2.4 HF10.
tmsh
modify /sys httpd ssl-protocol “all -SSLv2 -SSLv3”
save /sys config
All BIG-IP versions
For all BIG-IP versions, F5 recommends that you expose the management access only on trusted networks.
BIG-IQ 4.4.0 and later
For BIG-IQ 4.4.0 and later, you can disable the SSLv3 protocol for the Configuration utility by performing the following procedure:
Impact of procedure: This procedure will restart thewebd process and temporarily disrupt traffic to the BIG-IQ system. You should perform this procedure during a maintenance window.
cp -p /etc/webd/webd.conf /var/tmp/webd.conf.sol15702
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
tmsh restart sys service webd
FirePass
Disabling SSLv3 for all FirePass interfaces
Impact of procedure: This procedure will restart services and prevent some connections to the FirePass system. You should perform this procedure during a maintenance window.
ARX
Changing the ARX Manager GUI cipher string (6.2.0 and later)
To disable SSLv3 for the ARX Manager GUI, perform the following procedure:
Impact of procedure: Disabling SSLv3 may prevent some connections to the ARX Manager GUI.
LineRate
To mitigate this vulnerability in the SSL profile for the LineRate system, you can disable the SSLv3 protocol in the SSL profile by pre-pending !SSLv3 to the cipher-list. For details about how to add this, refer to the following article:
Note: A DevCentral login is required to access this content.
Supplemental Information
SOL15882: TLS1.x padding vulnerability CVE-2014-8730
SOL9970: Subscribing to email notifications regarding F5 products
SOL4602: Overview of the F5 security vulnerability response policy
SOL9957: Creating a custom RSS feed to view new and updated documents
SOL4918: Overview of the F5 critical issue hotfix policy
SOL167: Downloading software and firmware from F5
SOL10942: Installing OPSWAT hotfixes on BIG-IP APM systems
Note: A DevCentral login is required to access the following content.
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/10000/900/sol10942.html
support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html
support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html
support.f5.comhttps://devcentral.f5.com/articles/cve-2014-3566-poodle-vs-cve-2014-8730-tls-poodle
support.f5.comhttps://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip
support.f5.comhttps://devcentral.f5.com/articles/irule-to-stop-sslv3-connections
support.f5.comhttps://devcentral.f5.com/articles/poodle-and-tlsfallbackscsv-deep-dive
support.f5.comhttps://devcentral.f5.com/articles/sslv3-poodle-recommendations
3.4 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:N/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
0.975 High
EPSS
Percentile
100.0%