SOL5533 - Potential protocol version rollback vulnerability in OpenSSL - CVE-2005-2969

It is possible that customers using non-default SSL options could be exposed to this vulnerability in the BIG-IP LTM Configuration utility, SSL terminating virtual servers, and bundled utilities.

F5 tracked this problem as CR55070, CR55145, CR55203, CR55204, CR55283, CR55426, CR55588, and CR63465, and it was fixed in BIG-IP version 9.1.1, BIG-IP version 9.2.2, and FirePass version 6.0.0. For information about upgrading, refer to the release notes for your product and version.

Obtaining and installing patches

BIG-IP LTM version 9.0.4

To download and install the patch, perform the following steps:

1. From the F5 Downloads page, download the Hotfix-BIG-IP-9.0.4-CR55070.im file to the**/var/tmp** directory on the BIG-IP LTM system.

2. Install the patch by typing the following command:

im Hotfix-BIG-IP-9.0.4-CR55070.im

BIG-IP LTM version 9.0.5

To download and install the patch, perform the following steps:

1. From the F5 Downloads page, download the Hotfix-BIG-IP-9.0.5-CR55070.im file to the**/var/tmp** directory on the BIG-IP LTM system.

2. Install the patch by typing the following command:

im Hotfix-BIG-IP-9.0.5-CR55070.im

BIG-IP LTM version 9.1.0

To download and install the patch, perform the following steps:

1. From the F5 Downloads page, download the Hotfix-BIG-IP-9.1.0-CR55070.im file to the**/var/tmp** directory on the BIG-IP LTM system.

2. Install the patch by typing the following command:

im Hotfix-BIG-IP-9.1.0-CR55070.im

BIG-IP LTM version 9.2.0

To download and install the patch, perform the following steps:

1. From the F5 Downloads page, download the Hotfix-BIG-IP-9.2.0-CR55070.im file to the**/var/tmp** directory on the BIG-IP LTM system.

2. Install the patch by typing the following command:

im Hotfix-BIG-IP-9.2.0-CR55070.im

Workarounds

FirePass versions 5.0.0 through 5.5.1

To protect FirePass against the possibility of a protocol version rollback attack, disable all protocols weaker than SSLv3/TLS using the following procedure:

1. Log in to the FirePass Administrative Console.

2. In the main navigation pane, select Device Management.

3. In the upper navigation pane, select Security.

4. In the sub-menu, select User Access Security.

5. Select the Accept only SSLv3 and TLS protocols (maximize security) check box.

6. Click the Update button.