The tls_decrypt_ticket function in ssl/t1_lib.c in OpenSSL before 1.1.0 does not consider the HMAC size during validation of the ticket length, which allows remote attackers to cause a denial of service via a ticket that is too short. (CVE-2016-6302)
Impact
Remote attackers may exploit this vulnerability to cause a denial-of-service (DoS) attack.
Installing custom binaries to use the BIG-IP OpenSSL library to implement the SHA512 HMAC digest for TLS session tickets makes the BIG-IP system vulnerable. F5 does not support installing custom binaries onto the BIG-IP system.