NTP may not properly check the return value from the OpenSSL EVP_VerifyFinal function, which may allow a remote attacker to bypass validation of the certificate chain by way of a malformed SSL/TLS signature for DSA and ECDSA keys.
Note: This is a similar vulnerability to CVE-2008-5077. For information about CVE-2008-5077, refer to SOL9762: OpenSSL vulnerability - CVE-2008-5077.
Information about this advisory is available at the following location:
Note: This link takes you to a resource outside of AskF5, and it is possible that the information may be removed without our knowledge.
The FirePass, BIG-IP, and WebAccelerator products listed use a vulnerable version of NTP; however, these products are not subject to this vulnerability because, by default, these products do not use DSA and ECDSA certificates and keys for NTP.
F5 Product Development is tracking a change request to upgrade the NTP version used as CR115608 for FirePass and BIG-IP products.