Forum Discussion
JRahm
Admin
AdminNew OpenSSL vulnerability - CVE-2014-0224
Hey community, there's a new OpenSSL vulnerability out there in the wild. I say new, but...newly discovered. Turns out it's been there a while. Anyway, F5 solution 15325 for the details. A quick note...
The threat surface is very similar to Heartbleed - only the management port (which uses openssl) and users of the COMPAT ciphers in the dataplane. In our most recent survey, less than 1% of customers use those.
Possible iRule for extra credit: Because the attack appears to involve the use of an additional ChangeCipherSpec (CCS) message within in handshake, one could conceivable write an iRule that looked for this and then discarded the connection. Look to the Heartbleed iRules as a template.
For a very detailed explanation of 0224, here is a post Adam Langely from Google: https://www.imperialviolet.org/2014/06/05/earlyccs.html
