F5F5:K21531693K21531693 : libssh2 vulnerability CVE-2016-0787
Security Advisory Description
The diffie_hellman_sha256 function in kex.c in libssh2 before 1.7.0 improperly truncates secrets to 128 or 256 bits, which makes it easier for man-in-the-middle attackers to decrypt or intercept SSH sessions via unspecified vectors, aka a “bits/bytes confusion bug.” (CVE-2016-0787)
Impact
BIG-IQ, F5 iWorkflow, Enterprise Manager, FirePass, and Traffix SDCThere is no impact. These F5 products are not affected by this vulnerability.ARX and LineRateThis vulnerability may allow unauthorized disclosure of information.BIG-IPIn default configurations, there is no impact. This vulnerability is only exposed when using the secure shell (SSH) protocol within thecURLutility. For example, using the SSH/SFTP functionality within thecURLutility interactively or within a script, or configuring a custom Extended Application Verification (EAV) monitor which uses SSH/SFTP from within the** cURL** utility.Note: Built-in monitors are not affected by this vulnerability.
| CPE | Name | Operator | Version |
|---|---|---|---|
| big-ip afm | eq | 11.4.0 | |
| big-ip afm | eq | 11.4.1 | |
| big-ip afm | eq | 11.5.0 | |
| big-ip afm | eq | 11.5.1 | |
| big-ip afm | eq | 11.5.2 | |
| big-ip afm | eq | 11.5.3 | |
| big-ip afm | eq | 11.5.4 | |
| big-ip afm | eq | 11.6.0 | |
| big-ip afm | eq | 11.6.1 | |
| big-ip afm | eq | 12.0.0 |
Related
