SOL16317 - OpenSSL vulnerability CVE-2015-0286

Vulnerability Recommended Actions

If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.

BIG-IP

Configuration utility

The Configuration utility is not vulnerable by default. To be vulnerable, the system administrator has to modify the configuration to perform client-side certification authentication, such as, when you perform the procedures in either of the following articles:

• SOL13981: Restricting access to the Configuration utility using client certificates (11.x)
• SOL15137: Configuring two-way SSL authentication to the Configuration utility

To mitigate this Configuration utility vulnerability, do not modify the configuration to perform client side certification authentication. If that is not possible, F5 recommends that you permit access to the Configuration utility only over a secure network and limit login access to trusted users.

Client SSL profiles

Client SSL profiles are not vulnerable in a default configuration. The Client SSL profile is vulnerable if it has been modified to enable the Client Authentication option and is associated with a virtual server. To mitigate the vulnerability, do not enable the Client Authentication option on the Client SSL profile.

Server SSL profiles

Server SSL profiles are vulnerable in a default configuration, however, this vulnerability would require a backend server (pool member) to perform malicious actions as the BIG-IP system is acting as a client in this instance.

HTTPS Health monitor

The HTTPS health monitor is vulnerable by default. This vulnerability would require the BIG-IP system to monitor the health of a malicious server. To mitigate this vulnerability, limit traffic between the BIG-IP system and pool members to trusted traffic.

BIG-IP GTM

Both the gtmdand big3dprocesses are vulnerable in a default configuration. In addition, monitored BIG-IP systems whose big3dprocess was updated by an affected BIG-IP GTM system are also vulnerable. To mitigate this vulnerability, limit traffic between BIG-IP systems to trusted traffic.

Enterprise Manager

The big3dprocesses is vulnerable in a default configuration. In addition, monitored systems whose big3dprocess was updated by an affected BIG-IP GTM system are also vulnerable. To mitigate this vulnerability, limit traffic between BIG-IQ systems to trusted traffic.

BIG-IQ

The BIG-IQ configuration utility is not vulnerable by default. To be vulnerable, the system administrator has to modify the configuration to perform client-side certification authentication. To mitigate this Configuration utility vulnerability, do not modify the configuration to perform client side certification authentication.

Server SSL profiles are vulnerable in a default configuration; however, this vulnerability would require a backend server (pool member) to perform malicious actions, as the BIG-IP system is acting as a client in this instance.

Supplemental Information

• SOL13703: Overview of big3d version management
• SOL13444: BIG-IP daemons (11.x)
• SOL4602: Overview of the F5 security vulnerability response policy
• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5
• SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)
• SOL15106: Managing BIG-IQ product hotfixes
• SOL9502: BIG-IP hotfix matrix
• SOL17329: BIG-IP GTM name has changed to BIG-IP DNS