Forum Discussion

squip_86995's avatar
squip_86995
Icon for Nimbostratus rankNimbostratus
Apr 07, 2014

OpenSSL and Heart Bleed Vuln

Get the latest updates on how F5 mitigates Heartbleed     Hi Team,   I know this question is eventually going to be asked - I may as well do it.   With the news today about the Heartblee...
https
management
security
ssl
tls
TMOS
HR_38560's avatar
HR_38560
Icon for Nimbostratus rankNimbostratus
Apr 08, 2014

so is 11.5.0 safe or do we need to update?

 

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Apr 08, 2014
    There is no update. v11.5 is vulnerable to this issue in two respects: 1) Where the Management Web GUI is concerned and 2) If any of your SSL Profiles contain cipher strings which contain compat ciphers but only if the client negotiates a compat cipher (which a hacker clearly would ensure happens).
  • HR_38560's avatar
    HR_38560
    Icon for Nimbostratus rankNimbostratus
    Apr 08, 2014
    oke waiting for a update then, had an upgrade scheduled for 11.5, but actually our 10.2.4 version is actually safer then :D
  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Apr 08, 2014
    I'm not a security expert, so you may want to verify this independently: 1. The Native Stack on the Bigip v11.5.0 is not vulnerable. 2. You can force use of the native stack by specifying "NATIVE" as your cipher suites list on your SSL profiles. On 11.5, there is a long list of ciphers supported by NATIVE, so this should not cause any significant loss of options for connecting clients.
  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account
    Apr 08, 2014
    That said, I wouldn't update my production boxes to 11.5 just yet, unless there is a pressing need for a feature there. Usually good to give software a few months for other brave souls to test before you upgrade your critical devices.