Client-side componentsProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Vulnerable component or feature |
---|---|---|---|
BIG-IP LTM | 11.0.0 - 11.5.1 | ||
10.0.0 - 10.2.4 | 12.0.0 | ||
11.6.0 | |||
11.5.1 HF3 | |||
11.5.0 HF4 | |||
11.2.1 HF15 | Host-initiated SSL connections | ||
COMPAT SSL ciphers | |||
BIG-IP AAM | 11.4.0 - 11.5.1 | 12.0.0 | |
11.6.0 | |||
11.5.1 HF3 | |||
11.5.0 HF4 | Host-initiated SSL connections | ||
COMPAT SSL ciphers | |||
BIG-IP AFM | 11.3.0 - 11.5.1 | 12.0.0 | |
11.6.0 | |||
11.5.1 HF3 | |||
11.5.0 HF4 | Host-initiated SSL connections | ||
COMPAT SSL ciphers | |||
BIG-IP Analytics | 11.0.0 - 11.5.1 | 12.0.0 | |
11.6.0 | |||
11.5.1 HF3 | |||
11.5.0 HF4 | |||
11.2.1 HF15 | Host-initiated SSL connections | ||
COMPAT SSL ciphers | |||
BIG-IP APM | 11.0.0 - 11.5.1 | ||
10.1.0 - 10.2.4 | 12.0.0 | ||
11.6.0 | |||
11.5.1 HF3 | |||
11.5.0 HF4 | |||
11.2.1 HF15 | Host-initiated SSL connections | ||
COMPAT SSL ciphers | |||
BIG-IP ASM | 11.0.0 - 11.5.1 | ||
10.0.0 - 10.2.4 | 12.0.0 | ||
11.6.0 | |||
11.5.1 HF3 | |||
11.5.0 HF4 | |||
11.2.1 HF15 | Host-initiated SSL connections | ||
COMPAT SSL ciphers | |||
BIG-IP DNS | None | 12.0.0 | None |
BIG-IP Edge Gateway | 11.0.0 - 11.3.0 | ||
10.1.0 - 10.2.4 | 11.2.1 HF15 | Host-initiated SSL connections | |
COMPAT SSL ciphers | |||
BIG-IP GTM | 11.0.0 - 11.5.1 | ||
10.0.0 - 10.2.4 | 11.6.0 | ||
11.5.1 HF3 | |||
11.5.0 HF4 | |||
11.2.1 HF15 | Host-initiated SSL connections | ||
BIG-IP Link Controller | 11.0.0 - 11.5.1 | ||
10.0.0 - 10.2.4 | 12.0.0 | ||
11.6.0 | |||
11.5.1 HF3 | |||
11.5.0 HF4 | |||
11.2.1 HF15 | Host-initiated SSL connections | ||
COMPAT SSL ciphers | |||
BIG-IP PEM | 11.3.0 - 11.5.1 | 11.5.1 HF3 | |
11.5.0 HF4 | Host-initiated SSL connections | ||
COMPAT SSL ciphers | |||
BIG-IP PSM | 11.0.0 - 11.4.1 | ||
10.0.0 - 10.2.4 | 11.2.1 HF15 | Host-initiated SSL connections | |
COMPAT SSL ciphers | |||
BIG-IP WebAccelerator | 11.0.0 - 11.3.0 | ||
10.0.0 - 10.2.4 | 11.2.1 HF15 | Host-initiated SSL connections | |
COMPAT SSL ciphers | |||
BIG-IP WOM | 11.0.0 - 11.3.0 | ||
10.0.0 - 10.2.4 | 11.2.1 HF15 | Host-initiated SSL connections | |
COMPAT SSL ciphers | |||
ARX | None | 6.0.0 - 6.4.0 | None |
Enterprise Manager | 2.0.0 - 2.3.0 | None | Host-initiated SSL connections |
FirePass | 7.0.0 | ||
6.0.0 - 6.1.0 | None | Host-initiated SSL connections | |
BIG-IQ Cloud | 4.0.0 - 4.3.0 | None | Host-initiated SSL connections |
BIG-IQ Device | 4.2.0 - 4.3.0 | None | Host-initiated SSL connections |
BIG-IQ Security | 4.0.0 - 4.3.0 | None | Host-initiated SSL connections |
LineRate | 2.3.0 - 2.3.1 | ||
2.2.0 - 2.2.4 | |||
1.6.0 - 1.6.3 | None | Host-initiated SSL connections | |
BIG-IP Edge Clients for Linux | 6035 - 7071 | 7101.2014.0612.* | |
7100.2014.0612.* | |||
7091.2014.0612.* | |||
7090.2014.0612.* | |||
7080.2014.0624.* | VPN | ||
BIG-IP Edge Client for MAC OS X | 6035 - 7071 | 7101.2014.0612.* | |
7100.2014.0612.* | |||
7091.2014.0612.* | |||
7090.2014.0612.* | |||
7080.2014.0624.* | VPN | ||
BIG-IP Edge Client for Windows | 7101.* - 7101.2014.0611.* | ||
7100.* - 7100.2014.0611.* | |||
7091.* - 7091.2014.0611.* | |||
7090.* - 7090.2014.0611.* | |||
7080.* - 7080.2014.0623.* | |||
6035 - 7071 | 7101.2014.0612.1847 | ||
7100.2014.0612.1847 | |||
7091.2014.0612.1950 | |||
7090.2014.0612.1853 | |||
7080.2014.0624.2054 | VPN (DTLS Only) | ||
BIG-IP Edge Client for iOS | 2.0.0 - 2.0.2 | ||
1.0.5 - 1.0.6 | 2.0.3 | VPN | |
BIG-IP Edge Client for Android | 2.0.1 - 2.0.4 | 2.0.5 | VPN |
Vulnerability Recommended Actions
If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.
Important: F5 has created an engineering hotfix to address this issue for FirePass 7.0. You can obtain the engineering hotfix by contacting F5 Technical Support and referencing this article number. For more information, refer to SOL8986: F5 software life cycle policy.
F5 is responding to this vulnerability as determined by the parameters defined in SOL4602: Overview of the F5 security vulnerability response policy.
Mitigating this vulnerability
To mitigate this vulnerability, you should consider the following recommendations:
Consider denying access to the Configuration utility and using only the command line and** **Traffic Management Shell (tmsh) until the BIG-IP system is updated. If that is not possible, F5 recommends that you access the Configuration utility over only a secure network.
If SSL profiles are configured to use COMPAT ciphers, consider reconfiguring the profiles to use ciphers from the NATIVE SSL stack. For information about the NATIVE and COMPAT ciphers, refer to the following articles:
Limit traffic between the BIG-IP system and pool members to trusted traffic.
Verify that servers with which the F5 device communicates (such as pool members) are not using vulnerable OpenSSL versions.
Supplemental Information
For more information about SSL profiles, refer to the following articles:
SOL9970: Subscribing to email notifications regarding F5 products
SOL9957: Creating a custom RSS feed to view new and updated document
SOL4918: Overview of the F5 critical issue hotfix policy
SOL167: Downloading software and firmware from F5
SOL17329: BIG-IP GTM name has changed to BIG-IP DNS
support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html
support.f5.com/kb/en-us/solutions/public/14000/700/sol14783.html
support.f5.com/kb/en-us/solutions/public/14000/800/sol14806.html
support.f5.com/kb/en-us/solutions/public/17000/300/sol17329.html
support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html
support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html