CVE-2014-8730 Padding issue

Incorrect TLS padding could be accepted when terminating TLS 1.x CBC cipher connections. F5 has fetched CVE-2014-8730 for this issue. This issue does not affect the management interface, only th...
Published Dec 08, 2014
Version 1.0
security
Jeff_Costlow_10's avatar
Jeff_Costlow_10
Historic F5 Account
Dec 11, 2014
arai.a: Correct, This issue does not affect the management GUI. goutham: Your proposed cipher string of "RC4-SHA" would avoid this issue as well as SSLv3 POODLE. However, RC4 has known weaknesses and should not be a long term solution. I would suggest patching when possible. Josh: Disabling ADH ciphers is probably not a problem for anyone; ADH is rarely used. I agree with your conclusion that AES-GCM may be restrictive until more browsers have been updated.