CVE 2020-5902 Point Release with VS Client Authentication

Question

Just upgraded LTMs from version 12.1.3.0.0.378 to 12.1.5.2 Build 0.0.10 Point Release 2.

Have VSs that request Client Authentication, and an iRule that loops through the client certs, and scrutinizes the certificates.

The Point Release delivers the client certificates in a different format than version 12.1.3.0.0. This caused the iRule to reject the certificates.

So if you have a VS that request and examines client certificates, and are going to install a version that fixes CVE 2020-5902, please be aware that you may have to edit you iRule to look for a slightly different format.

ots02 · Answer

Thank you jaikumar_f5 for article K14204621.

jaikumar_f5 · Answer

Yes I've encountered this too. I had to change the Irule in my case.

K14204621: The X509::subject iRules command now returns the subject of the specified X509 certificate based on OpenSSL order

Forum Discussion

CVE 2020-5902 Point Release with VS Client Authentication

2 Replies

Recent Discussions

Can iRule be used to perform exception of IPI category based on Geolocation

Can iRule mask the payload content on event logs of security

minimum tmos software version for connect CIS (openshift)

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries HA

Related Content

Question & Answer: Regarding CVE-2020-5902

Guidance on Patching CVE-2020-5902

Using BIG-IQ to Address the CVE-2020-5902 Vulnerability

HTTP::Release

F5 BIG-IP Access Policy Manager (APM) - Google Authenticator and Microsoft Authenticator