SOL16864 - SSL/TLS RC4 vulnerability CVE-2015-2808

Refer to theFirePasssection of theVulnerability Recommended Actions** section.

Vulnerability Recommended Actions

If you are running a version listed in theVersions known to be vulnerablecolumn, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

BIG-IP

You can mitigate this vulnerability by disabling the RC4 cipher for the vulnerable component/feature. For instructions on how to disable ciphers on SSL profiles, refer to SOL13171: Configuring the cipher strength for SSL profiles (11.x) or SOL7815: Configuring the cipher strength for SSL profiles (9.x - 10.x), depending on your version.

For instructions on how to disable ciphers in the Configuration utility, refer to SOL13405: Restricting Configuration utility access to clients using high encryption SSL ciphers (11.x - 12.x) or SOL6768: Restricting Configuration utility access to clients using high encryption SSL ciphers (9.x - 10.x), depending on your version. You can mitigate this Configuration utility vulnerability by permitting access to the system only over a secure network.

BIG-IQ and Enterprise Manager

For instructions on how to disable ciphers in the Configuration utility, refer to SOL13405: Restricting Configuration utility access to clients using high encryption SSL ciphers (11.x - 12.x) or SOL6768: Restricting Configuration utility access to clients using high encryption SSL ciphers (9.x - 10.x), depending on your version. You can mitigate this Configuration utility vulnerability by permitting access to the system only over a secure network.

FirePass

For information about the hotfix status, contact F5 Technical Support.

ARX

To mitigate this vulnerability, you should permit access to the ARX GUI only over a secure network.

LineRate

To mitigate this vulnerability, you should use the default Cipher List or explicitly specify !RC4 in the Cipher List for the SSL profiles.

Traffix SDC

To mitigate this vulnerability for HTTP<=>Diameter traffic that uses HTTPS, you should not add RC4 to the TLS Cipher List. To mitigate this vulnerability for the WebUI, you should disableRC4 in your client web browser.

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4602: Overview of the F5 security vulnerability response policy
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5
• SOL3430: Installing FirePass hotfixes
• SOL13163: SSL ciphers supported on BIG-IP platforms (11.x - 12.x)
• SOL11444: SSL ciphers supported on BIG-IP platforms (10.x)
• SOL13156: SSL ciphers used in the default SSL profiles (11.x - 12.x)
• SOL10262: SSL ciphers used in the default SSL profiles (10.x)