K15278 : SSL renegotiation vulnerability CVE-2011-1473

2014-06-1900:00:00

my.f5.com

575

6.2 Medium

AI Score

Confidence

High

0.598 Medium

EPSS

Percentile

97.8%

JSON

Security Advisory Description

DISPUTED OpenSSL before 0.9.8l, and 0.9.8m through 1.x, does not properly restrict client-initiated renegotiation within the SSL and TLS protocols, which might make it easier for remote attackers to cause a denial of service (CPU consumption) by performing many renegotiations within a single connection, a different vulnerability than CVE-2011-5094. NOTE: it can also be argued that it is the responsibility of server deployments, not a security library, to prevent or limit renegotiation when it is inappropriate within a specific environment. (CVE-2011-1473)

CVE-2011-1473 is classified as Disputed by NIST. F5 does not consider this a vulnerability, but a condition inherent to the processing resources required to negotiate a Secure Sockets Layer (SSL) connection.

Impact

There is no impact; F5 products are not affected by this vulnerability.

CPENameOperatorVersion
big-ip afmeq11.3.0
big-ip afmeq11.4.0
big-ip afmeq11.4.1
big-ip afmeq11.5.0
big-ip afmeq11.5.1
big-ip afmeq11.5.2
big-ip afmeq11.5.3
big-ip afmeq11.5.4
big-ip afmeq11.5.5
big-ip afmeq11.6.0

Name	Operator	Version
big-ip afm	eq	11.3.0
big-ip afm	eq	11.4.0
big-ip afm	eq	11.4.1
big-ip afm	eq	11.5.0
big-ip afm	eq	11.5.1
big-ip afm	eq	11.5.2
big-ip afm	eq	11.5.3
big-ip afm	eq	11.5.4
big-ip afm	eq	11.5.5
big-ip afm	eq	11.6.0