Forum Discussion

kletourneau_124's avatar
kletourneau_124
Icon for Nimbostratus rankNimbostratus
Apr 09, 2014

Is my F5 4200 LTM vulnerable to the http://heartbleed.com exploit?

Get the latest updates on how F5 mitigates Heartbleed

 

Does F5 use any of the vulnerable versions of openSSL?

 

Status of different versions:

 

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable

 

application delivery
LTM
security
  • Cory_50405's avatar
    Cory_50405
    Apr 09, 2014

    F5's official response is here:

     

    http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Apr 09, 2014

    F5's official response is here:

     

    http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html

     

  • kletourneau_124's avatar
    kletourneau_124
    Icon for Nimbostratus rankNimbostratus
    Apr 09, 2014

    Found the answer:

     

    https://devcentral.f5.com/articles/openssl-heartbleed-cve-2014-0160

     

  • Mahmoud_Eldeeb_'s avatar
    Mahmoud_Eldeeb_
    Icon for Cirrostratus rankCirrostratus
    Apr 13, 2014

    Virtual servers using an SSL profile configured with the default Native SSL ciphers are not vulnerable. Only virtual servers using an SSL profile configured to use ciphers from the COMPAT SSL stack are vulnerable in BIG-IP 11.5.0 and 11.5.1. In addition, virtual servers that do not use SSL profiles and pass SSL traffic to the back-end web servers will not protect the back-end resource servers.