Forum Discussion

6 Replies

Sort By
  • Arie's avatar
    Arie
    Icon for Altostratus rankAltostratus
    Jun 05, 2014

    By default F5 does not use OpenSSL. Pending an official answer from F5 I would surmise that this newly discovered vulnerability does not affect F5-users. There are some (relatively rare) configurations that could use OpenSSL, but just as with Heartbleed there shouldn't be a problem if you use the default configuration for SSL (i.e. terminate SSL on the F5-device).

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Jun 05, 2014

    I'd mostly concur with Arie here. If you're using TMOS v11.4 or earlier (including v10.x) you are completely unaffected regardless of your configuration.

     

    • If using v11.5.x TMM related SSL/TLS traffic (terminated on your F5) will only be affected if you are using COMPAT ciphers, see here for more detail on that: http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html.

       

    • If using V11.5.x HMS Management Traffic may be at risk but hopefully your management interface resides in a secure network and you don't manage via a public facing Self IP.

       

    • As above for iControl.

       

    • As above if the big3d running on your F5 (regardless of version) was installed by a GTM running v11.5.x.

       

    A read through the Heartbleed SOL will give you a good idea of what uses OpenSSL etc. http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html

     

  • Frank_30530's avatar
    Frank_30530
    Icon for Altocumulus rankAltocumulus
    Jun 11, 2014

    I have read SOL15325. It states that:

     

    • All BIG-IP versions contain vulnerable client side code.
    • Only virtual servers using an SSL profile configured to use ciphers from the COMPAT SSL stack are vulnerable in BIG-IP 11.5.0 and 11.5.1.

    It is unclear to me if server side (SSLserver profile) sessions using the NATIVE cipher suite are vulnerable or not? I.e., what exactly is 'client side code'? Does 'client' refer to the 'client side' on the BIG-IP or does 'client side' refer to the OpenSSL client code?

     

    It is unclear to me if a NATIVE cipher suite SSL server side connection (i.e., a VS with a serverssl profile) uses OpenSSL (might be vulnerable) or the hardware accelerator chips (not vulnerable).

     

    F5 please clarify?

     

  • Jeff_Costlow_10's avatar
    Jeff_Costlow_10
    Historic F5 Account
    Jun 11, 2014

    Please see my article. CVE-2014-0224 is the worst vulnerability, but the article discusses all of them.

     

    BIG-IP versions 11.5.0 and 11.5.1 contain OpenSSL 1.0.1 for the management GUI. These versions are vulnerable to CVE-2014-0224 only on the management interface. We'll be patching that soon. We'll be patching older releases which contain vulnerable client code over time.

     

    BIG-IP 11.5.0 and 11.5.1 virtual servers doing TLS termination are not vulnerable. (Unless you are using COMPAT ciphers with 11.5.0 or 11.5.1. This is very rare.)

     

    There are some tools that show virtual servers doing TLS termination as vulnerable. This is not correct for reasons that I hope I made clear in the article linked above.