OpenSSL and management console

Question

I am running 11.4.1 HF8.  The management console is still using OpenSSL 0.9.8y, which our internal security scanner doesn't like.  Is there a patch that I missed, or is that the current supported version?  I can always argue that it's internal and can therefore ignore the vulnerability, but I'd like to make it go away if I can.&nbsp;
Thanks for any help.&nbsp;

kharsma_176894 · Answer

I believe hat is the current standard for 11.4.x code, starting in the 11.5.x code they updated OpenSSL to OpenSSL 1.0.1e-fips. What vulnerabilities are you getting from your scan? Also, F5 only uses the OpenSSL (COMPAT) stack on the management port, and https monitors(I'm not 100% on this), unless you've changed your cipher-text on the SSL profiles from 'DEFAULT'.

scogran · Answer

Ya, the virtual servers are fine. No issues there. This only affects the management console. It shows up as "multiple openSSL vulnerabilities" as 0.9.8.y is 2 years old and 0.9.8.za fixed a lot of stuff last year. Once we finish removing SSLv3 from our environment, I can upgrade to 11.5 or 11.6, which appears to use a newer version.

Forum Discussion

OpenSSL and management console

2 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

import live updates from version x to version y

Tenant image upgrade

Related Content

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Deploy WAF on any Edge with F5 Distributed Cloud (SaaS Console, Automation)

Demo Guide: F5 Distributed Cloud DNS (SaaS Console)

Minimizing Security Complexity: Managing Distributed WAF Policies

Demo Guide: Edge Compute with F5 Distributed Cloud Services (SaaS Console, Automation)