Incorrect TLS padding could be accepted when terminating TLS 1.x CBC cipher connections. F5 has fetched CVE-2014-8730 for this issue.


This issue does not affect the management interface, only the traffic interfaces and does affect all released versions of BIG-IP except the latest version, 11.6.0.


Customers should upgrade to hotfixed releases. See the F5 solution article for this issue for more information.


If you cannot upgrade, then we advise using TLSv1.2 with AES-GCM ciphers (requires BIG-IP v11.5.0 or later and recent clients).


If you cannot upgrade and cannot use AES-GCM ciphers, then we recommend using RC4 ciphers until you can upgrade.

See this solution for more information on setting TLS cipher strings.