F5SOL8106SOL8106 - OpenSSL SSL_get_shared_ciphers vulnerability CVE-2007-5135
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.962 High
EPSS
Percentile
99.4%
F5 Product Development has determined that the BIG-IP and Enterprise Manager products use a vulnerable version of OpenSSL; however, the vulnerable code is not used in either TMM or in Apache on the BIG-IP system. The vulnerability is considered to be a local vulnerability and cannot be exploited remotely.
F5 Product Development has determined that the FirePass product does not use the OpenSSL SSL_get_shared_ciphers functionality and is not vulnerable to the vulnerability described in this security advisory.
Information about this advisory is available at the following locations:
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135>
<http://www.openssl.org/news/secadv_20071012.txt>
Note: The previous links take you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge.
F5 Product Development tracked this issue as CR87335 for the BIG-IP LTM, GTM, ASM, Link Controller and WebAccelerator version 9.3 software branch and it was fixed in version 9.3.1. For more information about upgrading, refer to the BIG-IP LTM, GTM, ASM, and Link Controller release notes.
F5 Product Development is tracked this issue as CR87358 for the BIG-IP LTM, GTM, ASM, Link Controller and WebAccelerator version 9.4 software branch and it was fixed in version 9.4.5. For information about upgrading, refer to the BIG-IP LTM, GTM, ASM, Link Controller and WebAccelerator release notes.
Additionally, this issue was fixed in Hotfix HF1 issued for BIG-IP 9.4.4. You may download this hotfix or later versions of the Hotfix from the F5 Downloads site.
F5 Product Development is tracked this issue as CR87358 for Enterprise Manager and it was fixed in version 1.6.0. For information about upgrading, refer to the Enterprise Manager release notes.
For information about downloading software, refer to SOL167: Downloading software and firmware from F5.
For information about the F5 hotfix policy, refer to SOL4918: Overview of the F5 critical issue hotfix policy.
For information about how to manage F5 product hotfixes, refer to SOL6845: Managing F5 product hotfixes.
| CPE | Name | Operator | Version |
|---|---|---|---|
| big-ip gtm | le | 9.4.4 | |
| big-ip asm | le | 9.4.4 | |
| enterprise manager | le | 1.4.1 | |
| big-ip link controller | le | 9.4.4 | |
| big-ip webaccelerator | le | 9.4.4 | |
| big-ip ltm | le | 9.4.4 |
Related
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
0.962 High
EPSS
Percentile
99.4%