Forum Discussion

6 Replies

  • Hi neeeewbie,

     

    ID Affected Versions
    CVE-2022-2274 3.0.4
    CVE-2022-2097 3.0.0-3.0.4 and 1.1.1-1.1.1p

    The openssl version in F5 does not seem to be affected by these vulnerabilities.

    [root@f5:Active:Standalone] config # openssl version
    OpenSSL 1.0.2u-fips  20 Dec 2019

    https://support.f5.com/csp/article/K48851448

    • neeeewbie's avatar
      neeeewbie
      Icon for MVP rankMVP

      thanks for your kind attention

      I saw this document

      but Development of versions prior to 1.1.0 is discontinued

      our device using 1.0.2. so I curious 

      is 1.0.2 version safe from this vulnerable?

      • Hi neeeewbie,

        OpenSSL Security Advisory [5 July 2022]
        =======================================
        
        Heap memory corruption with RSA private key operation (CVE-2022-2274)
        =====================================================================
        ...
        OpenSSL 1.1.1 and 1.0.2 are not affected by this issue.
        ...
        
        
        AES OCB fails to encrypt some bytes (CVE-2022-2097)
        ===================================================
        ...
        This issue affects versions 1.1.1 and 3.0.  It was addressed in the
        releases of 1.1.1q and 3.0.5 on the 5th July 2022.
        ...

         https://www.openssl.org/news/secadv/20220705.txt