Forum Discussion

squip_86995's avatar
squip_86995
Icon for Nimbostratus rankNimbostratus
Apr 07, 2014

OpenSSL and Heart Bleed Vuln

Get the latest updates on how F5 mitigates Heartbleed

 

 

Hi Team,

 

I know this question is eventually going to be asked - I may as well do it.

 

With the news today about the Heartbleed OpenSSL Vulnerability (http://heartbleed.com) I wanted to confirm if we are at any risk. All of my LTM V11 and V10 instances are running OpenSSL 0.9.8x which does not appear to be a vulnerable version of OpenSSL... Does the F5 hook into this when we Sign/Request SSL Certs? If so we're sitting pretty, right?

 

Thanks.

 

Updates based on feedback:

 

ul

 

Update 2: F5 have published a security advisory on this issue - http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html

 

https
management
security
ssl
tls
TMOS

52 Replies

Sort By
Show More
  • MegaZone's avatar
    MegaZone
    Icon for SIRT rankSIRT
    Apr 09, 2014
    The official AskF5 Solution is out: http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html See also: https://devcentral.f5.com/s/articles/openssl-heartbleed-cve-2014-0160
  • Mahmoud_Eldeeb_'s avatar
    Mahmoud_Eldeeb_
    Icon for Cirrostratus rankCirrostratus
    Apr 13, 2014

    Virtual servers using an SSL profile configured with the default Native SSL ciphers are not vulnerable. Only virtual servers using an SSL profile configured to use ciphers from the COMPAT SSL stack are vulnerable in BIG-IP 11.5.0 and 11.5.1. In addition, virtual servers that do not use SSL profiles and pass SSL traffic to the back-end web servers will not protect the back-end resource servers.

     

  • Mahmoud_Eldeeb_'s avatar
    Mahmoud_Eldeeb_
    Icon for Cirrostratus rankCirrostratus
    Apr 27, 2014

    OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT vulnerable OpenSSL 1.0.0 branch is NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable