Forum Discussion
NimbostratusPOODLE Bites
This vulnerability will be affected only for those virtual servers for which you have associated the SSL Profiles. So, If we don't have any virtual servers associated the SSL Profiles but we use in-band https management to the same interface (not out of band management port), can anybody please help to confirm whether it is considered vulnerable or not vulnerable ?
Thanks.
4 Replies
Dmitri_Ch__1425Cirrus
Hi Arun,
This URL may help: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip
Starting with 11.5.0 DEFAULT cipher excludes SSLv3, so if you didn't have to explicitly enable it (to support older browsers) then it's not vulnerable.
You can disable SSLv3 on management GUI as described in Management plane section in the above link.
CVE-2014-8730 (POODLE 2.0) doesn't affect MGM GUI. More info is here: https://devcentral.f5.com/articles/cve-2014-8730-padding-issue-8151
Thanks.
Arun_6466Hi Dmitri,
Thanks for your response. From these i understand that this issue doesn't affect the management interface. But i m still concerned here as in my case traffic interface is used for management purpose as well.
Can you pls clear this
Brad_ParkerThe management httpd process uses an openssl ssl stack which is not vulnerable. Self IPs used for management are still hitting the same httpd process that the management port is. Only SSL profiles are vulnerable as they use F5's proprietary ssl stack which is vulnerable.
- Arun_6466
Hi Brad Parker,
This clears my concern. Thank you so much.
