Forum Discussion

abhishekmadhu's avatar
abhishekmadhu
Icon for Nimbostratus rankNimbostratus
Jul 25, 2024

Individual OpenSSL Upgrade

We have a F5 LTM Virtual module, we need to mitigate the "CVE-2022-1292" and we can see that they suggest us to upgrade the Open SSL Version, Can someone let me know is it possible to upgrade the only OpenSSL version without upgrading the TMOS.

==================================================================

Vulnerability Name:

OpenSSL 1.0.2 < 1.0.2ze Vulnerability

 

solution:

Upgrade to OpenSSL version 1.0.2ze or later.

 

additional information:


  Path             : /usr/bin/openssl
  Reported version : 1.0.2za
  Fixed version    : 1.0.2ze
https://www.cve.org/CVERecord?id=CVE-2022-1292
http://www.nessus.org/u?f1567dce
https://www.openssl.org/news/secadv/20220503.txt

security

4 Replies

Sort By
  • LiefZimmerman's avatar
    LiefZimmerman
    Icon for Admin rankAdmin
    Aug 16, 2024

    abhishekmadhu - if either or both of these replies solved your problem please consider "Mark As Solution" to help other community members more quickly discover solutions.

    Thanks! 

  • whisperer's avatar
    whisperer
    Icon for MVP rankMVP
    Jul 25, 2024

    Keep in mind that TMOS implements its own version of SSL, and you can see what ciphers are supported at https://my.f5.com/manage/s/article/K000136126. The OS implementation would generally only be used for the HTTPS GUI, so that is the only 'attack vector'. If you mitigate access to the HTTPS GUI to trusted networks, and dont expose it to the Internet, security dispensations are usually provided by audit/security teams.

    That said, there is really no supported method of upgrading the OS version of OpenSSL without some 'hacking' and this may invalidate support. Generally, you want to upgrade the BIG-IP version of code and hence the underlying OpenSSL verison.