Lucene search

K
f5F5SOL16139
HistoryFeb 12, 2015 - 12:00 a.m.

SOL16139 - OpenSSL vulnerability CVE-2015-0204

2015-02-1200:00:00
support.f5.com
92

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.965 High

EPSS

Percentile

99.5%

*The BIG-IQ and Enterprise Manager products are based on certain TMOS versions. Therefore, they are shipped with the vulnerable code, although the vulnerable components are never used in these products.

Recommended Action

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.

BIG-IP

To mitigate this vulnerability, you should consider the following recommendations:

  • If Server SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles:

    • SOL13163: SSL ciphers supported on BIG-IP platforms (11.x)
    • SOL13171: Configuring the cipher strength for SSL profiles (11.x)
    • SOL13187: COMPAT SSL ciphers are no longer included in standard cipher strings
  • If the HTTPS health monitor is configured with a non-export RSA key exchange cipher suite, remove the RSA key exchange cipher suite from the Cipher List setting of the affected HTTPS health monitor by appending** -kRSA** in the cipher string. For more information, refer to SOL16526: Configuring the SSL cipher strength for a custom HTTPS health monitor.

  • If Client SSL profiles are configured to use EXPORT ciphers, the BIG-IP system will not be vulnerable to this issue. However, vulnerable clients and browsers connecting to the BIG-IP system using the Client SSL profiles are susceptible to this vulnerability.

LineRate

To mitigate the risk posed by this vulnerability for the affected LineRate versions, you can disable the RSA key exchange cipher suite in the SSL component. For information about disabling cipher suites for LineRate, refer to the following guides:

Note:****The following links take you to a resource outside of AskF5. The third party could remove the documents without our knowledge.

Traffix SDC

To mitigate this vulnerability, you can upgrade with the Traffix package for January 2015, which contains openssl-1.0.1e-30. For more information, refer to the F5 Traffix representative for your region.

Supplemental Information

  • SOL9970: Subscribing to email notifications regarding F5 products
  • SOL9957: Creating a custom RSS feed to view new and updated documents
  • SOL4918: Overview of the F5 critical issue hotfix policy
  • SOL167: Downloading software and firmware from F5
  • SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)
  • SOL9502: BIG-IP hotfix matrix
  • SOL17329: BIG-IP GTM name has changed to BIG-IP DNS

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.965 High

EPSS

Percentile

99.5%