Original Publication Date: 04/08/2014
Updated Date: 04/08/2014
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.(CVE-2014-0160)
Systems that are vulnerable can be exploited to retrieve information from memory. That information may include the private keys used for TLS/DTLS.
- Virtual servers using an SSL profile configured with the default Native SSL ciphers are not vulnerable. Only virtual servers using an SSL profile configured to use ciphers from the Compat SSL stack are vulnerable. In addition, back-end resources are not protected by virtual servers that do not use SSL profiles and pass SSL traffic directly through to the back-end web servers.
- The Configuration utility on the management interface is vulnerable.
- Clients using the BIG-IP Edge client for Android are not vulnerable to this vulnerability. However, clients using the BIG-IP Edge client for Windows, Mac OS, or Linux are vulnerable if they are used to connect to a compromised FirePass or BIG-IP APM system.
F5 Product Development has assigned ID 456033 (BIG-IP) to this vulnerability.
To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:
| Product | Versions known to be vulnerable | Versions known to be not vulnerable | Vulnerable component or feature |
| BIG-IP LTM | 11.5.0 - 11.5.1 | 11.0.0 - 11.4.1 10.0.0 - 10.2.4 |
Configuration utility Compat SSL ciphers |
| BIG-IP AAM | 11.5.0 - 11.5.1 | 11.4.0 - 11.4.1 | Configuration utility Compat SSL ciphers |
| BIG-IP AFM | 11.5.0 - 11.5.1 | 11.3.0 - 11.4.1 | Configuration utility Compat SSL ciphers |
| BIG-IP Analytics | 11.5.0 - 11.5.1 | 11.0.0 - 11.4.1 | Configuration utility Compat SSL ciphers |
| BIG-IP APM | 11.5.0 - 11.5.1 | 11.0.0 - 11.4.1 10.1.0 - 10.2.4 |
Configuration utility Compat SSL ciphers |
| BIG-IP ASM | 11.5.0 - 11.5.1 | 11.0.0 - 11.4.1 10.0.0 - 10.2.4 |
Configuration utility Compat SSL ciphers |
| BIG-IP Edge Gateway | None | 11.0.0 - 11.3.0 10.1.0 - 10.2.4 |
None |
| BIG-IP GTM | 11.5.0 - 11.5.1 | 11.0.0 - 11.4.1 10.0.0 - 10.2.4 |
Configuration utility Compat SSL ciphers |
| BIG-IP Link Controller | 11.5.0 - 11.5.1 | 11.0.0 - 11.4.1 10.0.0 - 10.2.4 |
Configuration utility Compat SSL ciphers |
| BIG-IP PEM | 11.5.0 - 11.5.1 | 11.3.0 - 11.4.1 | Configuration utility Compat SSL ciphers |
| BIG-IP PSM | 11.5.0 - 11.5.1 | 11.0.0 - 11.4.1 10.0.0 - 10.2.4 |
Configuration utility Compat SSL ciphers |
| BIG-IP WebAccelerator | None | 11.0.0 - 11.3.0 10.0.0 - 10.2.4 |
None |
| BIG-IP WOM | None | 11.0.0 - 11.3.0 10.0.0 - 10.2.4 |
None |
| ARX | None | 6.0.0 - 6.4.0 | None |
| Enterprise Manager | None | 3.0.0 - 3.1.1 2.1.0 - 2.3.0 |
None |
| FirePass | None | 7.0.0 6.0.0 - 6.1.0 |
None |
| BIG-IQ Cloud | None | 4.0.0 - 4.3.0 | None |
| BIG-IQ Device | None | 4.2.0 - 4.3.0 | None |
| BIG-IQ Security | None | 4.0.0 - 4.3.0 | None |
| BIG-IP Edge Clients for Android | None | 2.0.3 - 2.0.4 | None |
| BIG-IP Edge Clients for Apple iOS | 2.0.0 - 2.0.1 1.0.5 |
1.0.0 - 1.0.4 | VPN |
| BIG-IP Edge Clients for Linux | 7080 - 7101 | 6035 - 7071 | VPN |
| BIG-IP Edge Clients for MAC OS X | 7080 - 7101 | 6035 - 7071 | VPN |
| BIG-IP Edge Clients for Windows | 7080 - 7101 | 6035 - 7071 | VPN |
If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists.
To mitigate this vulnerability, you should consider the following recommendations:
- Limit the Configuration utility access to a trusted management network.
- Use only Native SSL stack ciphers. Do not use ciphers from the Compat SSL stack. For information about the Native and Compat ciphers, refer toSOL13163: SSL ciphers supported on BIG-IP platforms (11.x).
- Back-end resources are not protected by virtual servers that do not use SSL profiles and pass SSL traffic through to the back-end web servers. When possible, you should protect back-end resources by using SSL profiles to terminate SSL at the BIG-IP.
http://filippo.io/Heartbleed/
Wednesday, April 9, 2014
Powered by WHMCompleteSolution
