Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

SSL/TLS MITM vulnerability (CVE-2014-0224)

Hi folks

Did someone get already an official statement from F5 Networks about the latest vulnerability disclosed today? (not heartbleed!)

http://www.openssl.org/news/secadv_20140605.txt

Thanks for your reply

Sven

6
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

RedHat OpenSSL CCS Injection Vulnerability tool (CVE-2014-0224) https://access.redhat.com/labs/ccsinjectiontest identified VS on F5 (v.10.5.0 & v.10.5.1) as "Status: Vulnerable!"

1
Comments on this Answer
Comment made 05-Jun-2014 by Sven Leupold 175
Same here, but as F5 does not use openssl stack here, I think that this could be a false positive.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This answers some questions: http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html

TMM is not using openssl for SSL enabled virtual servers except you configure COMPAT ciphers on 11.5.x. The risk on the management traffic (configuration/iControl/big3d) is low as long as your management segment is separated.

But, still, F5 should provide an official statement that their SSL implementation is not affected.

0
Comments on this Answer
Comment made 05-Jun-2014 by Michael Kennedy 01 0
This tool released by redhat is indicating that my F5 sites (which don't use COMPAT ciphers) are affected: https://access.redhat.com/labs/ccsinjectiontest/ I'm eager to hear F5's official response.
1
Comment made 05-Jun-2014 by Sven Leupold 175
me too :-)
0
Comment made 06-Jun-2014 by Sven Leupold 175
Hello Team, Good Morning. Regarding OpenSSL vulnerability - CVE-2014-0224, F5 Product Development has now assigned ID 465799 (BIG-IP) to this vulnerability. To read more about this vulnerability for versions know to be vulnerable and not vulnerable, please see SOL15325 via the link below. We received a case closed message from F5 pointing to SOL15325: OpenSSL vulnerability - CVE-2014-0224 https://support.f5.com/kb/en-us/solutions/public/15000/300/sol15325.html
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

There are a few threads open on this today, but I recommend reviewing https://devcentral.f5.com/questions/openssl-security-advisory-05-jun-2014 as it has the most technical details so far.

0