SOL23196136 - OpenSSL vulnerability CVE-2016-0800

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable ** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severityvalues published in the previous table. The Severityvalues and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.

BIG-IP

BIG-IP is not vulnerable to this issue in default configurations. F5 recommends that you do not enable the use of SSLv2 or EXPORT ciphers in your configuration. In addition, note the following:

• Data plane virtual servers in BIG-IP 10.1.0 through 11.6.0 can be made vulnerable by configuring COMPAT ciphers or SSLv2 in the cipher string. Additionally, BIG-IP 10.2.1 and 10.2.2 will also expose the issue with ALL in the cipher string. If you require the use of COMPAT ciphers, you should include**!SSLV2in the cipher string to exclude SSLv2 protocol; for example, COMPAT:!SSLV2. You can enable SSLv2 only in BIG-IP 12.0.0 and later by configuringCOMPAT+SSLV2** in the cipher string. F5 recommends that you do not configure virtual servers to use the SSLv2 protocol.
• The Configuration utility does not enable the use of the SSLv2 protocol in the default configuration for BIG-IP 10.1.0 through 12.0.0. The Apache configuration includes the configuration directive, which disables, by default, the SSLv2 protocol: SSLProtocol all -SSLv2. F5 recommends that you do not enable the SSLv2 protocol for the Configuration utility.
• If you are using the NodeJS EA feature for server applications, you should use constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_SSLv2 to mitigate this issue.
• iAppsLX** f5-rest-node** is an EA feature and is not vulnerable.
• If you are using the iRulesLX EA feature, ensure that SSLv2 is not enabled in your custom applications. iRulesLX nodejscan be configured to be vulnerable in BIG-IP 12.0.0.
• The BIG-IP big3d process is not vulnerable in BIG-IP 10.1.0 through 12.0.0. The daemon does not support the SSLv2 protocol in these versions.
• The device service clustering (DSC) infrastructure communication is not vulnerable in BIG-IP 11.0.0 through 12.0.0.

BIG-IQ and Enterprise Manager

The BIG-IQ and Enterprise Manager systems are not vulnerable to this issue in default configurations. F5 recommends that you do not enable the use of SSLv2 or EXPORT ciphers in control plane configurations.

LineRate

The LineRate systems are not vulnerable to this issue in default configurations. F5 recommends that you do not enable the use of SSLv2 protocol in LineRate configurations.

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4918: Overview of the F5 critical issue hotfix policy
• The DROWN Attack: Another SSL Vulnerability DevCentral page

Note: A DevCentral login may be required to access the previous link.