Forum Discussion
squip_86995
Nimbostratus
NimbostratusOpenSSL and Heart Bleed Vuln
Get the latest updates on how F5 mitigates Heartbleed
Hi Team,
I know this question is eventually going to be asked - I may as well do it.
With the news today about the Heartbleed OpenSSL Vulnerability (http://heartbleed.com) I wanted to confirm if we are at any risk. All of my LTM V11 and V10 instances are running OpenSSL 0.9.8x which does not appear to be a vulnerable version of OpenSSL... Does the F5 hook into this when we Sign/Request SSL Certs? If so we're sitting pretty, right?
Thanks.
Updates based on feedback:
ul
Update 2: F5 have published a security advisory on this issue - http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
- MegaZone
SIRT
The official AskF5 Solution is out: http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html See also: https://devcentral.f5.com/s/articles/openssl-heartbleed-cve-2014-0160 
Daniel_TavernieCirrostratus
For those using Edge Client you should know about its vulnerability: https://devcentral.f5.com/questions/edge-client-and-cve-2014-0160-heartbleed
Mahmoud_Eldeeb_Virtual servers using an SSL profile configured with the default Native SSL ciphers are not vulnerable. Only virtual servers using an SSL profile configured to use ciphers from the COMPAT SSL stack are vulnerable in BIG-IP 11.5.0 and 11.5.1. In addition, virtual servers that do not use SSL profiles and pass SSL traffic to the back-end web servers will not protect the back-end resource servers.
- Mahmoud_Eldeeb_
OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable
