SOL16126 - OpenSSL vulnerability CVE-2014-3572

Recommended Action

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.

BIG-IP

To mitigate this vulnerability, you can remove the ECDH cipher suite from the Cipher List of the affected HTTPS health monitor. To do so, perform the following procedure:

Impact of action: Removing the ECDH cipher suite does not allow the affected HTTPS health monitor from communicating with any other SSL servers using the ECDH cipher suite.

1. Log in to the Configuration utility.
2. Navigate to Local Traffic >Monitors.
3. Click the name of the affected HTTPS health monitor.
4. In the Cipher List setting, append**:-kECDH** to the end of the cipher string.
5. Click Update.
6. Repeat the previous steps for the remaining affected HTTPS health monitor.

LineRate

To mitigate the risk posed by this vulnerability for the affected LineRate versions, you can disable the ECDH cipher suites in the SSL component. For information about disabling cipher suites for LineRate, refer to the following guides:

**Note:**The following links take you to a resource outside of AskF5. The third party could remove the documents without our knowledge.

• The SSL Mode Commands chapter of the LineRate 2.5.0 CLI Reference Guide

• The SSL Mode Commands chapter of the LineRate 2.4.x CLI Reference Guide

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5