SSL/TLS MITM vulnerability (CVE-2014-0224)

Question

Hi folks&nbsp;
Did someone get already an official statement from F5 Networks about the latest vulnerability disclosed today? (not heartbleed!)&nbsp;
http://www.openssl.org/news/secadv_20140605.txt&nbsp;
Thanks for your reply&nbsp;
Sven&nbsp;

sven_leupold_85 · Answer

This answers some questions: http://support.f5.com/kb/en-us/solutions/public/13000/100/sol13163.html&nbsp;
TMM is not using openssl for SSL enabled virtual servers except you configure COMPAT ciphers on 11.5.x. The risk on the management traffic (configuration/iControl/big3d) is low as long as your management segment is separated.&nbsp;
But, still, F5 should provide an official statement that their SSL implementation is not affected. &nbsp;

sergey_83319 · Answer

RedHat OpenSSL CCS Injection Vulnerability tool (CVE-2014-0224) https://access.redhat.com/labs/ccsinjectiontest
identified VS on F5 (v.10.5.0 &amp; v.10.5.1) as "Status: Vulnerable!"&nbsp;

michael_kenned1 · Answer

This tool released by redhat is indicating that my F5 sites (which don't use COMPAT ciphers) are affected: https://access.redhat.com/labs/ccsinjectiontest/

I'm eager to hear F5's official response.

sven_leupold_85 · Answer

me too :-)

sven_leupold_85 · Answer

Same here, but as F5 does not use openssl stack here, I think that this could be a false positive.

Forum Discussion

SSL/TLS MITM vulnerability (CVE-2014-0224)

7 Replies

Recent Discussions

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

[ASM] - HTML5 Cross-Domain Request Enforcement - CLI command

Related Content

CVE-2014-0224 Change Cipher Spec detection tools

F5 ICAP over SSL/TLS (Secure ICAP) with F5 ASM/AWAF Antivirus Protection feature

TLS Fingerprinting to profile SSL/TLS clients without decryption

CLIENT_HELLO SSL TLS version insert

F5 Server SSL Profile using TLS 1.0 instead of TLS 1.2