K12853 : OpenSSL vulnerability CVE-2008-7270

Security Advisory Description

Note: For information about signing up to receive security notice updates from F5, refer to K9970: Subscribing to email notifications regarding F5 products.

Note: F5 has not evaluated specific versions that are not listed in this article for vulnerability to this security advisory. For information about the F5 security policy regarding evaluating older and unsupported versions of F5 products, refer to K4602: Overview of the F5 security vulnerability response policy.

F5 products and versions that have been evaluated for this Security Advisory

BIG-IP GTM| None| *9.2.2 - 9.4.8
*10.0.0 - 10.2.4
11.x
BIG-IP ASM| None| *9.2.0 - 9.4.8
*10.0.0 - 10.2.4
11.x

BIG-IP Link Controller| None| *9.2.2 - 9.4.8
*10.0.0 - 10.2.4
11.x
BIG-IP WebAccelerator| None| *9.4.0 - 9.4.8
*10.0.0 - 10.2.4
11.x
BIG-IP PSM| None| *9.4.5 - 9.4.8
*10.0.0 - 10.2.4
11.x

BIG-IP WAN Optimization| None| *10.0.0 - 10.2.4
11.x
BIG-IP APM| None| *10.1.0 - 10.2.4
11.x
BIG-IP Edge Gateway| None| *10.1.0 - 10.2.4
11.x
BIG-IP Analytics| None| 11.x
BIG-IP AFM| None| 11.x
BIG-IP PEM
| None| 11.x
BIG-IP AAM| None| 11.x
FirePass| None| *5.0.0 - 5.5.2
*6.0.0 - 6.1.0
*7.0.0
Enterprise Manager| None| *1.0.0 - 1.8.0
*2.0.0 - 2.2.0
3.x
ARX| None| *3.2.1 - 3.2.3
*4.0.1 - 4.1.3
*5.0.0 - 5.3.1
*6.0.0 - 6.3.0

• F5 Product Development has determined that these specific product versions are not vulnerable to the OpenSSL session cache issue indicated by CVE-2008-7270. While these product versions may allow a client to change the ciphersuite on a subsequent connection, the system allows the client to change to only a cipher that the server has enabled. F5 Product Development has declared that this is intended behavior and that the behavior does not introduce a security implication.

However, these product versions use a version of OpenSSL that is affected by this vulnerability when the OpenSSL version is compiled and configured differently than the way F5 compiles and configures it. As a result, Nessus or other vulnerability scanners may incorrectly report these listed product versions as vulnerable to CVE-2008-7270. Nessus plugin 51892 looks beyond the banner string and actually verifies the behavior. While the plugin shows that the client can change the cipher, the client cannot change it to a disallowed cipher.

Vulnerability description

OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.

Information about this advisory is available at the following location:

Note: This link takes you to a resource outside of AskF5, and it is possible that the documents may be removed without our knowledge.

<https://vulners.com/cve/CVE-2008-7270&gt;