For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Paul_Roberts_16's avatar
Paul_Roberts_16
Icon for Nimbostratus rankNimbostratus
Jun 09, 2014

SSL irregularities in 10.2.4/11.4.1 LTMs. Vulnerable to Heartbleed or not?

So our network security team regularly sweeps our network looking for unpatched issues, and this week we recieved a whole pile of alerts about our LTMs and GTMs for the Heartbleed vulnerability on po...
application delivery
BIG-IP DNS
LTM
management
security
Paul_Roberts_16's avatar
Paul_Roberts_16
Icon for Nimbostratus rankNimbostratus
Jun 09, 2014

I will eventually, but I wanted to make sure I had my ducks very in a row before breaching the subject. They're not going to be terribly happy having to do an about-face over whether or not the Enterprise Manager is vulnerable when it's combined with the little detail that it will also make otherwise safe versions vulnerable.

 

I note with some concern that the page on the matter does not say anything about the relevant versions of Enterprise Manager actually being hotfixed or even patched. See also http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html

 

If they didn't actually fix that version then EM is likely still handing out a vulnerable binary because no one thought to look very closely at the statically linked binary with 1.0.1e-fips sealed up inside it.