Forum Discussion
Jeff_Costlow_10
Jun 11, 2014Historic F5 Account
Please see my article. CVE-2014-0224 is the worst vulnerability, but the article discusses all of them.
BIG-IP versions 11.5.0 and 11.5.1 contain OpenSSL 1.0.1 for the management GUI. These versions are vulnerable to CVE-2014-0224 only on the management interface. We'll be patching that soon. We'll be patching older releases which contain vulnerable client code over time.
BIG-IP 11.5.0 and 11.5.1 virtual servers doing TLS termination are not vulnerable. (Unless you are using COMPAT ciphers with 11.5.0 or 11.5.1. This is very rare.)
There are some tools that show virtual servers doing TLS termination as vulnerable. This is not correct for reasons that I hope I made clear in the article linked above.