The BIG-IP Client or Server SSL profile ignores revoked certificates, even when a valid CRL is present. This impacts SSL/TLS connections and may result in a man-in-the-middle attack on the connections. (CVE-2020-5913)
Impact
The BIG-IP system does not enforce Transport Layer Security (TLS) certificate chain restrictions as expected. As a result, SSL/TLS connections are encrypted but may be vulnerable to man-in-the-middle attacks. This vulnerability affects systems that have the following settings in their configuration and connections that use a BIG-IP Client SSL or Server SSL profile:
Beginning in BIG-IP 14.x, HTTPS monitors that have in-Traffic Management Microkernel (in-TMM) monitoring enabled and use Server SSL profiles are also affected by this vulnerability. For more information on in-TMM monitoring, refer to K11323537: Configuring In-TMM monitoring.