SOL95463126 - OpenSSL vulnerabilities CVE-2016-0703 and CVE-2016-0704

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable ** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. TheSeverity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.

BIG-IP

BIG-IP is not vulnerable to this issue in default configurations. F5 recommends that you do not enable the use of SSLv2 or EXPORT ciphers in either data plane or control plane configurations. In addition, note the following:

• Data plane virtual servers in BIG-IP 10.1.0 through 11.6.0 (excluding the versions listed in the Versions known to be not vulnerable column in theSecurity Issue Statustable) can be made vulnerable by configuring COMPAT ciphers in the cipher string. Additionally, BIG-IP 10.2.1 and 10.2.2 will also expose the issue withALLin the cipher string. If you require the use of COMPAT ciphers, you should include**!SSLV2in the cipher string to exclude the SSLv2 protocol; for example,COMPAT:!SSLV2. You can enable SSLv2 only in BIG-IP 12.0.0 and later by configuringCOMPAT+SSLV2** in the cipher string. F5 recommends that you do not configure virtual servers to use the SSLv2 protocol.

Note: For information about the change in behavior for the COMPAT stack and how to include EXPORT ciphers in BIG-IP 12.x, refer to SOL17373: The alternate COMPAT stack contains no SSL ciphers by default.

• The Configuration utility does not enable the use of the SSLv2 protocol in the default configuration for BIG-IP 10.1.0 through 12.0.0. The Apache configuration includes the configuration directive, which disables, by default, the SSLv2 protocol: SSLProtocol all -SSLv2. F5 recommends that you do not enable the SSLv2 protocol for the Configuration utility.
• If you are using the NodeJS EA feature for server applications, you should use constants.SSL_OP_NO_SSLv3 | constants.SSL_OP_NO_SSLv2 to mitigate this issue.
• iAppsLX f5-rest-node is an EA feature and is not vulnerable.
• iRulesLX nodejsis an EA feature in BIG-IP 12.0.0 and is not vulnerable.
• The BIG-IP big3d process is not vulnerable in BIG-IP 10.1.0 through 12.0.0; the daemon does not support the SSLv2 protocol in these versions.
• The device service clustering (DSC) infrastructure communication is not vulnerable in BIG-IP 11.0.0 through 12.0.0.

BIG-IQ/Enterprise Manager

The BIG-IQ/Enterprise Manager systems are not vulnerable to this issue in default configurations. F5 recommends that you do not enable the use of SSLv2 or EXPORT ciphers in the BIG-IQ/Enterprise Manager configurations.

Supplemental Information

• SOL9970: Subscribing to email notifications regarding F5 products
• SOL9957: Creating a custom RSS feed to view new and updated documents
• SOL4918: Overview of the F5 critical issue hotfix policy
• SOL23196136: OpenSSL vulnerability CVE-2016-0800