Forum Discussion
abhishekmadhu
Nimbostratus
NimbostratusIndividual OpenSSL Upgrade
We have a F5 LTM Virtual module, we need to mitigate the "CVE-2022-1292" and we can see that they suggest us to upgrade the Open SSL Version, Can someone let me know is it possible to upgrade the only OpenSSL version without upgrading the TMOS.
==================================================================
Vulnerability Name:
OpenSSL 1.0.2 < 1.0.2ze Vulnerability
solution:
Upgrade to OpenSSL version 1.0.2ze or later.
additional information:
Path : /usr/bin/openssl
Reported version : 1.0.2za
Fixed version : 1.0.2ze
https://www.cve.org/CVERecord?id=CVE-2022-1292
http://www.nessus.org/u?f1567dce
https://www.openssl.org/news/secadv/20220503.txt
- whisperer
MVP
Keep in mind that TMOS implements its own version of SSL, and you can see what ciphers are supported at https://my.f5.com/manage/s/article/K000136126. The OS implementation would generally only be used for the HTTPS GUI, so that is the only 'attack vector'. If you mitigate access to the HTTPS GUI to trusted networks, and dont expose it to the Internet, security dispensations are usually provided by audit/security teams.
That said, there is really no supported method of upgrading the OS version of OpenSSL without some 'hacking' and this may invalidate support. Generally, you want to upgrade the BIG-IP version of code and hence the underlying OpenSSL verison.
- Aswin_mk
Cumulonimbus
Hello,
please check the attached KB - OpenSSL vulnerabilities CVE-2022-1292 and CVE-2022-2068 (f5.com). As per this F5 BIG IP modules(All including LTM), not vulnerable and no fix needed.Please let me know from where you got the FIX.
- LiefZimmerman
Admin
abhishekmadhu - if either or both of these replies solved your problem please consider "Mark As Solution" to help other community members more quickly discover solutions.
Thanks!
- Aswin_mk
Please let me know if you considered the alerts as false positive or applied any fixes
