SOL16321 - OpenSSL vulnerability CVE-2015-0293

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severityvalues published in the previous table. The Severityvalues and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.

BIG-IP 11.x

To mitigate this vulnerability on virtual servers, you can configure your Client SSL profile to use the NATIVE cipher suite. To do so, refer to SOL13171: Configuring the cipher strength for SSL profiles (11.x).

To mitigate this vulnerability in the BIG-IP Configuration utility, do not modify the Apache server configuration to include SSLv2 and Export Grade ciphers.

BIG-IP 10.x

To mitigate this vulnerability on virtual servers, you can configure your Client SSL profile to use the NATIVE cipher suite. To do so, refer to SOL7815: Configuring the cipher strength for SSL profiles (9.x - 10.x).

To mitigate this vulnerability in the BIG-IP Configuration utility, do not modify the Apache server configuration to include SSLv2 and Export Grade ciphers.

BIG-IQ

To mitigate this vulnerability in the BIG-IQ user interface, do not modify the Apache server configuration to include SSLv2 and Export Grade ciphers.

Enterprise Manager

To mitigate this vulnerability in the Enterprise Manager Configuration utility, do not modify the Apache server configuration to include SSLv2 and Export Grade ciphers.

Supplemental Information

• SOL13187: COMPAT SSL ciphers are no longer included in standard cipher strings
• SOL13405: Restricting Configuration utility access to clients using high encryption SSL ciphers (11.x)
• SOL6768: Restricting Configuration utility access to clients using high encryption SSL ciphers (9.x - 10.x)
• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5
• SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)
• SOL15106: Managing BIG-IQ product hotfixes
• SOL9502: BIG-IP hotfix matrix
• SOL17329: BIG-IP GTM name has changed to BIG-IP DNS