3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.975 High
EPSS
Percentile
100.0%
Note: As of February 17, 2015, AskF5 Security Advisory articles include theSeverityvalue. Security Advisory articles published before this date do not list aSeverity value.
Vulnerability Recommended Actions
If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.
BIG-IP
11.x
Client SSL profiles are not vulnerable in a default configuration. If you have configured custom Client SSL profiles, you can mitigate this vulnerability by configuring your Client SSL profile to exclude COMPAT, EXP, and EXPORT ciphers. To do so, refer to SOL13171: Configuring the cipher strength for SSL profiles (11.x).
BIG-IP systems configured with Server SSL profiles or HTTPS health monitors are vulnerable as a client, when using EXPORT or DHE cipher suites, when the backend server supports EXPORT ciphers. To mitigate this issue, disable the use of EXPORT and DHE cipher suites. Adding !EXPORT, !COMPAT, and !DHE to the cipher string that is in use will do this, however, if a custom cipher string is in use, it must disable the use of both export and non-export grade DHE to mitigate this issue.
BIG-IP systems configured for SSL Forward Proxy are vulnerable as a client, when using EXPORT or DHE cipher suites, when the backend server supports EXPORT ciphers. To mitigate this issue, disable the use of EXPORT and DHE cipher suites. Adding !EXPORT, !COMPAT, and !DHE to the cipher string that is in use will do this, however, if a custom cipher string is in use, it must disable the use of both export and non-export grade DHE to mitigate this issue.
10.x
Client SSL profiles are not vulnerable in a default configuration. If you have configured custom Client SSL profiles, you can mitigate this vulnerability by configuring your Client SSL profile to exclude COMPAT, EXP, and EXPORT ciphers. To do so, refer to SOL7815: Configuring the cipher strength for SSL profiles (9.x - 10.x).
BIG-IP systems configured with Server SSL profiles or HTTPS health monitors are vulnerable as a client, when using EXPORT or DHE cipher suites, when the backend server supports EXPORT ciphers. To mitigate this issue, disable the use of EXPORT and DHE cipher suites. Adding !EXPORT, !COMPAT, and !DHE to the cipher string that is in use will do this, however, if a custom cipher string is in use, it must disable the use of both export and non-export grade DHE to mitigate this issue.
To mitigate this vulnerability in the BIG-IP Configuration utility, you can modify the Apache server configuration to exclude EXP and EXPORT ciphers. For example, the default SSL cipher string in your configuration may appear similar to the following example:
ALL:!ADH:!EXPORT56:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
You can mitigate this vulnerability by excluding the EXPORT and EXP ciphers by using a string similar to the following example:
ALL:!ADH:!EXPORT:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2
For more information about restricting ciphers for Configuration utility access, refer to SOL6768: Restricting Configuration utility access to clients using high encryption SSL ciphers (9.x - 10.x).
Enterprise Manager
To mitigate this vulnerability in the Enterprise Manager Configuration utility, you can modify the Apache server configuration to exclude EXP and EXPORT ciphers. For example, the default SSL cipher string in your configuration may appear similar to the following example:
ALL:!ADH:!EXPORT56:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
You can mitigate this vulnerability by excluding the EXPORT and EXP ciphers by using a string similar to the following example:
ALL:!ADH:!EXPORT:!EXP:!eNULL:!MD5:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2
For more information about restricting ciphers for Configuration utility access, refer to SOL6768: Restricting Configuration utility access to clients using high encryption SSL ciphers (9.x - 10.x).
ARX
To mitigate this vulnerability, you can disable EXPORT grade SSL ciphers, such as SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA and SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA, in the ARX GUI.
Traffix SDC
Traffix SDC configurations are not vulnerable with default cipher settings. To mitigate this vulnerability, do not configure EXPORT grade ciphers in the SDC configuration.
Supplemental Information
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/10000/900/sol10942.html
support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html
3.7 Low
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.975 High
EPSS
Percentile
100.0%