Forum Discussion
OpenSSL Security Advisory [05 Jun 2014]
- ArieAltostratus
By default F5 does not use OpenSSL. Pending an official answer from F5 I would surmise that this newly discovered vulnerability does not affect F5-users. There are some (relatively rare) configurations that could use OpenSSL, but just as with Heartbleed there shouldn't be a problem if you use the default configuration for SSL (i.e. terminate SSL on the F5-device).
- What_Lies_Bene1Cirrostratus
I'd mostly concur with Arie here. If you're using TMOS v11.4 or earlier (including v10.x) you are completely unaffected regardless of your configuration.
-
If using v11.5.x TMM related SSL/TLS traffic (terminated on your F5) will only be affected if you are using COMPAT ciphers, see here for more detail on that: http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html.
-
If using V11.5.x HMS Management Traffic may be at risk but hopefully your management interface resides in a secure network and you don't manage via a public facing Self IP.
-
As above for iControl.
-
As above if the big3d running on your F5 (regardless of version) was installed by a GTM running v11.5.x.
A read through the Heartbleed SOL will give you a good idea of what uses OpenSSL etc. http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html
-
- ericc01_137807Nimbostratus
It is likely that the F5 APM product is vulnerable to the DTLS related vulnerabilities in the announcement. It is certainly the most concerning here as it meets the requirements of 1) running OpenSSL and 2) supporting DTLS.
DTLS support was added to the APM in version 10.1 (see: http://support.f5.com/kb/en-us/solutions/public/11000/200/sol11246.html)
- hooleylistCirrostratus
You can check this AskF5 SOL for the most current response from F5 on the recent OpenSSL vulnerabilities:
SOL15325 - OpenSSL vulnerability - CVE-2014-0224
Aaron
- Frank_30530Altocumulus
I have read SOL15325. It states that:
- All BIG-IP versions contain vulnerable client side code.
- Only virtual servers using an SSL profile configured to use ciphers from the COMPAT SSL stack are vulnerable in BIG-IP 11.5.0 and 11.5.1.
It is unclear to me if server side (SSLserver profile) sessions using the NATIVE cipher suite are vulnerable or not? I.e., what exactly is 'client side code'? Does 'client' refer to the 'client side' on the BIG-IP or does 'client side' refer to the OpenSSL client code?
It is unclear to me if a NATIVE cipher suite SSL server side connection (i.e., a VS with a serverssl profile) uses OpenSSL (might be vulnerable) or the hardware accelerator chips (not vulnerable).
F5 please clarify?
- Jeff_Costlow_10Historic F5 Account
Please see my article. CVE-2014-0224 is the worst vulnerability, but the article discusses all of them.
BIG-IP versions 11.5.0 and 11.5.1 contain OpenSSL 1.0.1 for the management GUI. These versions are vulnerable to CVE-2014-0224 only on the management interface. We'll be patching that soon. We'll be patching older releases which contain vulnerable client code over time.
BIG-IP 11.5.0 and 11.5.1 virtual servers doing TLS termination are not vulnerable. (Unless you are using COMPAT ciphers with 11.5.0 or 11.5.1. This is very rare.)
There are some tools that show virtual servers doing TLS termination as vulnerable. This is not correct for reasons that I hope I made clear in the article linked above.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com