F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Simon_Waters_13's avatar
Simon_Waters_13
Icon for Cirrostratus rankCirrostratus
Mar 19, 2015

Today's OpenSSL vulnerabilities - what are best channels for updates?

OpenSSL have given heads-up on release of high severity issue between 11am and 3pm today.

 

Have F5 been given advanced notice on these issues? e.g. Do they expect to issue a fix immediately the issues are made public?

 

What are the best channels for getting any information updates from F5 on this issue?

 

I'm already on the security announce email list, and following on twitter.

 

Appreciate F5 are in a tricky position because they can't simply roll vendor OpenSSL packages to clients, and in many cases there is more engineering to do to even establish when it is a problem.

 

On the other-hand we are all be getting quite good at this urgent patching malarky :(

 

management
security

1 Reply

  • amolari's avatar
    amolari
    Icon for Cirrostratus rankCirrostratus
    Mar 19, 2015

    Devcentral is the faster channel so far (past experience showed). Then, F5 publishes a SOL (sec advisory). Many times, a workaround is proposed (configuration of SSL profiles usually).

     

    F5 might change the way one can update its product in the future: allowing some base (OS) components to be individually updated, without the need of a SW hotfix.

     

    Updating OpenSSL might have some bad side-effects: I have seen that CRL imports (performed by OpenSSL on the BIGIP) is more resources intensive with the newer OpenSSL versions (such as in v11.6) than in previous ones.