4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.965 High
EPSS
Percentile
99.5%
*The BIG-IQ and Enterprise Manager products are based on certain TMOS versions. Therefore, they are shipped with the vulnerable code, although the vulnerable components are never used in these products.
Recommended Action
If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.
F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.
BIG-IP
To mitigate this vulnerability, you should consider the following recommendations:
If Server SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles:
If the HTTPS health monitor is configured with a non-export RSA key exchange cipher suite, remove the RSA key exchange cipher suite from the Cipher List setting of the affected HTTPS health monitor by appending** -kRSA** in the cipher string. For more information, refer to SOL16526: Configuring the SSL cipher strength for a custom HTTPS health monitor.
If Client SSL profiles are configured to use EXPORT ciphers, the BIG-IP system will not be vulnerable to this issue. However, vulnerable clients and browsers connecting to the BIG-IP system using the Client SSL profiles are susceptible to this vulnerability.
LineRate
To mitigate the risk posed by this vulnerability for the affected LineRate versions, you can disable the RSA key exchange cipher suite in the SSL component. For information about disabling cipher suites for LineRate, refer to the following guides:
Note:****The following links take you to a resource outside of AskF5. The third party could remove the documents without our knowledge.
The SSL Mode Commands chapter of the LineRate 2.5.0 CLI Reference Guide
The SSL Mode Commands chapter of the LineRate 2.4.x CLI Reference Guide
Traffix SDC
To mitigate this vulnerability, you can upgrade with the Traffix package for January 2015, which contains openssl-1.0.1e-30. For more information, refer to the F5 Traffix representative for your region.
Supplemental Information
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/13000/100/sol13123
support.f5.com/kb/en-us/solutions/public/17000/300/sol17329.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/9000/500/sol9502.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html