SOL86772626 - OpenSSL vulnerability CVE-2015-3194

Vulnerability Recommended Actions

BIG-IP

Configuration utility

The Configuration utility is not vulnerable by default. To be vulnerable, the system administrator must modify the configuration to perform client-side certification authentication, such as when you perform the procedures in either of the following articles:

• SOL13981: Restricting access to the Configuration utility using client certificates (11.x)
• SOL15137: Configuring two-way SSL authentication to the Configuration utility

The result of a successful attack would be a disruption of service for the Configuration utility, iControl SOAP, and iControl REST. To mitigate the Configuration utility vulnerability, you should avoid modifying the configuration to perform client-side certification authentication. If that is not possible, F5 recommends that you permit access to the Configuration utility only over a secure network and limit access to trusted users.

HTTPS health monitors

The HTTPS health monitor is vulnerable by default. This vulnerability would require the BIG-IP system to be configured to monitor a malicious server. To mitigate this vulnerability, you should limit traffic between the BIG-IP system and pool members to trusted traffic.

big3d

The big3d process may be exposed to this vulnerability over the management port and for self IP addresses when the Port Lockdown feature is set to “Default”, “All”, or “Custom” with TCP port 4353 included. The impact for thebig3dprocess would be a temporary disruption in the communications between peer systems until the system automatically restarts thebig3dprocess. To mitigate this vulnerability for thebig3d process, you should limit connections to port 4353 to trusted hosts. For more information, refer to SOL13309: Restricting access to the Configuration utility by source IP address (11.x - 12.x).

Note: If you runbig3d_installon BIG-IP versions earlier than 11.5.0, it is possible that you may install a vulnerable version ofbig3don systems that are running non-vulnerable versions of the BIG-IP system. In this case, upgrade to a fixed version, or hotfix, and then refer to SOL13312: Overview of the BIG-IP GTM big3d_install, bigip_add, and gtm_add utilities (11.x) for information about runningbig3d_install to resolve the issue.

Note: Theiquery protocol used by the BIG-IP DNS system (formerly BIG-IP GTM) also uses port 4353. Ensure that all of the peer devices are included when you limit connections by IP address.

f5-rest-node packages

A vulnerable version of OpenSSL is included in the f5-rest-node RPM, which ships with the BIG-IP system; however, F5 does not support any instances where vulnerable JavaScript code is executed by this package.

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4602: Overview of the F5 security vulnerability response policy
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL167: Downloading software and firmware from F5