For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Getting FREAK-y with BIG-IP

Since it’s been about 3 months since POODLE, we’re clearly overdue for another major vulnerability in SSL and/or TLS. Fortunately for us, the research team at SmackTLS has released details of the FRE...
Published Mar 04, 2015
Version 1.0
security
BAMcHenry's avatar
Ret. Employee
Brian McHenry leads product management for Security solutions on the BIG-IP, NGINX, and Distributed Cloud data planes. In this role, he sets strategy for the growing $750M annual business for the Advanced WAF, SSL Orchestrator, Access Policy Manager, and NGINX App Protect products. McHenry takes pride in enabling F5’s customers to be successful as well as in improving their security postures to make the Internet a safer place. McHenry works across multiple groups at F5, including the Strategy Office, Office of the CTO, Marketing, Services, Support, and Sales. He is also a published writer and a frequent speaker at infosec conferences and events. He is a co-founder of Security B-Sides NYC, and committed to giving back to the Infosec community.
View Profile
BAMcHenry's avatar
Ret. Employee
Brian McHenry leads product management for Security solutions on the BIG-IP, NGINX, and Distributed Cloud data planes. In this role, he sets strategy for the growing $750M annual business for the Advanced WAF, SSL Orchestrator, Access Policy Manager, and NGINX App Protect products. McHenry takes pride in enabling F5’s customers to be successful as well as in improving their security postures to make the Internet a safer place. McHenry works across multiple groups at F5, including the Strategy Office, Office of the CTO, Marketing, Services, Support, and Sales. He is also a published writer and a frequent speaker at infosec conferences and events. He is a co-founder of Security B-Sides NYC, and committed to giving back to the Infosec community.
View Profile
arai_a_5902's avatar
arai_a_5902
Icon for Nimbostratus rankNimbostratus
Mar 13, 2015
About sol16139, I thing removing the RSA key exchange cipher for HTTPS monitor is difficult solution for many production site. Because many servers may only accept RSA key exchange only. And I know some users started to use HTTPS monitor over internet, as BIG-IP is located on internet (Virtual Edition on AWS), I think this vulnerability should be treated as higher priority shouldn't it?