Forum Discussion
JRahm
Admin
AdminNew OpenSSL vulnerability - CVE-2014-0224
Hey community, there's a new OpenSSL vulnerability out there in the wild. I say new, but...newly discovered. Turns out it's been there a while. Anyway, F5 solution 15325 for the details. A quick note:
The vulnerability is with OpenSSL, not the F5 SSL Stack. So if you are offloading SSL with native ciphers on your BIG-IP, this is not a vulnerability for your traffic. The management interface uses OpenSSL, however, so it might be vulnerable based on your BIG-IP version, check the solution.
David Holmes is correct yet again that SSL is "this close to being completely broken!"
- JRahm
Missed this thread from yesterday.
The threat surface is very similar to Heartbleed - only the management port (which uses openssl) and users of the COMPAT ciphers in the dataplane. In our most recent survey, less than 1% of customers use those.
Possible iRule for extra credit: Because the attack appears to involve the use of an additional ChangeCipherSpec (CCS) message within in handshake, one could conceivable write an iRule that looked for this and then discarded the connection. Look to the Heartbleed iRules as a template.
For a very detailed explanation of 0224, here is a post Adam Langely from Google: https://www.imperialviolet.org/2014/06/05/earlyccs.html
