SOL16139 - OpenSSL vulnerability CVE-2015-0204

*The BIG-IQ and Enterprise Manager products are based on certain TMOS versions. Therefore, they are shipped with the vulnerable code, although the vulnerable components are never used in these products.

Recommended Action

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.

BIG-IP

To mitigate this vulnerability, you should consider the following recommendations:

• If Server SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles:

  • SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)
  • SOL13171: Configuring the cipher strength for SSL profiles (11.x)
  • SOL13187: COMPAT SSL ciphers are no longer included in standard cipher strings

• If the HTTPS health monitor is configured with a non-export RSA key exchange cipher suite, remove the RSA key exchange cipher suite from the Cipher List setting of the affected HTTPS health monitor by appending** -kRSA** in the cipher string. For more information, refer to SOL16526: Configuring the SSL cipher strength for a custom HTTPS health monitor.

• If Client SSL profiles are configured to use EXPORT ciphers, the BIG-IP system will not be vulnerable to this issue. However, vulnerable clients and browsers connecting to the BIG-IP system using the Client SSL profiles are susceptible to this vulnerability.

LineRate

To mitigate the risk posed by this vulnerability for the affected LineRate versions, you can disable the RSA key exchange cipher suite in the SSL component. For information about disabling cipher suites for LineRate, refer to the following guides:

Note:****The following links take you to a resource outside of AskF5. The third party could remove the documents without our knowledge.

• The SSL Mode Commands chapter of the LineRate 2.5.0 CLI Reference Guide

• The SSL Mode Commands chapter of the LineRate 2.4.x CLI Reference Guide

Traffix SDC

To mitigate this vulnerability, you can upgrade with the Traffix package for January 2015, which contains openssl-1.0.1e-30. For more information, refer to the F5 Traffix representative for your region.

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5
• SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)
• SOL9502: BIG-IP hotfix matrix
• SOL17329: BIG-IP GTM name has changed to BIG-IP DNS