Important: For the hotfixes noted previously, the included version of OpenSSL has not been changed. F5 has patched the existing version of OpenSSL to resolve this vulnerability. As a result, on a patched BIG-IP system, the OpenSSL version is still OpenSSL 1.0.1e-fips. For more information about installed hotfix versions, refer to SOL13123: Managing BIG-IP product hotfixes (11.x).
BIG-IP Edge Client fixes
This issue has been fixed for BIG-IP Edge Clients for Windows, Mac OS, and Linux in BIG-IP APM 11.5.1 HF2, and 11.5.0 HF3. This issue has also been fixed for BIG-IP Edge Clients for Windows, Mac OS, and Linux in an engineering hotfix in other BIG-IP APM versions. You can obtain the engineering hotfix by contacting [F5 Technical Support](<http:// http://www.f5.com/training-support/customer-support/contact/>) and referencing this article number and the associated ID number. Note that engineering hotfixes are intended to resolve a specific software issue until a suitable minor release, maintenance release, or cumulative hotfix rollup release is available that includes the software fix. For more information, refer to SOL8986: F5 software lifecycle policy.
Recommended action
You can eliminate this vulnerability by running a version listed in the Versions known to be not vulnerable column. If theVersions known to be not vulnerable column does not list a version that is higher than the version you are running, then no upgrade candidate currently exists.
Upgrading to a version known to be not vulnerable, or taking steps to mitigate this vulnerability, does not eliminate possible damage that may have already occurred as a result of this vulnerability. After upgrading to a version that is known to be not vulnerable, consider the following components that may have been compromised by this vulnerability:
SSL profile certificate/key pairs
The BIG-IP SSL profiles may reference SSL certificate/key pairs that were compromised. For information about creating new SSL certificate/key pairs for SSL profiles, refer to the following articles:
SOL14620: Managing SSL certificates for BIG-IP systems
SOL14534: Creating SSL certificates and keys with OpenSSL (11.x)
SOL13579: Generating new default certificate and key pairs for BIG-IP SSL profiles
BIG-IP device certificate/key pairs
The BIG-IP system may have a device certificate/key pair that was compromised. For information about creating new SSL certificate/key pairs, refer to the following articles:
Important: After you generate a new device certificate and private key pair, you will need to re-establish device trusts. In addition, the device certificates are used for GTM sync groups and Enterprise Manager monitoring. As a result, you will need to recreate the GTM sync groups and rediscover devices managed by Enterprise Manager.
CMI certificate/key pairs
The BIG-IP system may have a CMI certificate/key pair (used for device group communication and synchronization) that was compromised. To regenerate the CMI certificate/key pairs on devices in a device group, and rebuild the device trust, perform the following procedure:
Impact of procedure: F5 recommends that you perform this procedure during a maintenance window. This procedure causes the current device to lose connectivity with all other BIG-IP devices. Depending on the device group and traffic group configuration, the connectivity loss may result in an unintentional active-active condition that causes a traffic disruption. To prevent a standby device from going active, set the standby device in the device group toForce Offlinebefore performing the procedure. Standby devices that were set toForce Offlineshould be set toRelease Offline after performing the procedure.
Repeat this procedure for each device in the device group.
After you complete the device trust reset on all devices, set up the device trust by performing the procedures described in the following articles:
The big3d process
The BIG-IP system may have a vulnerable version of thebig3dprocess under the following conditions:
Affected big3d versions
The following big3d versions are affected by this vulnerability:
big3d version 11.5.0.0.0.221 for Linux
big3d version 11.5.0.1.0.227 for Linux
big3d version 11.5.1.0.0.110 for Linux
For information about checking the big3d version currently installed on the system and installing updated** big3d**versions on managed systems, refer to the following article:
BIG-IP maintenance and user passwords
The maintenance and user passwords used to access the BIG-IP system may have been compromised. For information about changing user passwords, refer to the following documentation:
Mitigating this vulnerability
To mitigate this vulnerability, you should consider the following recommendations:
Consider denying access to the Configuration utility and using only the command line and** tmsh** until the BIG-IP system is updated. If that is not possible, F5 recommends that you access the Configuration utility only over a secure network.
If SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles:
Virtual servers that do not use SSL profiles and pass SSL traffic through to the back-end web servers will not protect the back-end resource servers. When possible, you should protect back-end resources by using SSL profiles to terminate SSL. For more information about using iRules to protect the back-end servers, refer to the Supplemental Information section.
Supplemental Information
Important: The following DevCentral article contains additional information about using iRules to assist in mitigating this vulnerability when terminating TLS traffic on back-end servers. F5 does not officially support the iRules in the following article, and information in the article does not represent a fix for the vulnerability.
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/10000/000/sol10025.html
support.f5.com/kb/en-us/solutions/public/10000/300/sol10322.html
support.f5.com/kb/en-us/solutions/public/12000/400/sol12463.html
support.f5.com/kb/en-us/solutions/public/13000/100/sol13123
support.f5.com/kb/en-us/solutions/public/13000/700/sol13757.html
support.f5.com/kb/en-us/solutions/public/14000/700/sol14783.html
support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/9000/500/sol9502.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html
support.f5.comdevcentral.f5.com/articles/openssl-heartbleed-cve-2014-0160
support.f5.comheartbleed.com/
support.f5.comhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160