CVE-2014-8730 Padding issue

Incorrect TLS padding could be accepted when terminating TLS 1.x CBC cipher connections. F5 has fetched CVE-2014-8730 for this issue. This issue does not affect the management interface, only th...
Published Dec 08, 2014
Version 1.0
security
Jeff_Costlow_10's avatar
Jeff_Costlow_10
Historic F5 Account
Dec 10, 2014
AES-128-SHA and AES-256-SHA are both CBC ciphers and are susceptible to this issue. RC4-SHA is recommended over AES-CBC ciphers until you patch. SSLLabs is looking for CBC ciphers. On my BIG-IP 11.6.0, the cipher string "RC4-SHA:HIGH:MEDIUM:!SSLv2:!SSLv3:!ADH:-AES:-MD5" removes the vulnerable AES-CBC ciphers and correctly leaves the AES-GCM ciphers. You can use tmm --clientciphers to see the accepted ciphers. See solution 15194 https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15194.html