Forum Discussion

Cirrocumulus

Nov 05, 2009

SSL Vulnerability

Does anyone know if F5's with SSL Offload are vulnerable to the plain text insertion vulnerability that's been reported today? Details are vague (As you'd expect) but IIUC it may be on...

config

design

Hamish

Cirrocumulus

Nov 06, 2009

I have an answer from F5.

The answer itself was specific to 9.4.7, but there's no indication that it's different for any other version (Although I have asked). Because of the way they've implemented it, they're only vulnerable (For SSL Offload) if you have an iRule that explicitly does an SSL::renegotiate.

They'll be publishing a SOL note in the next few days, possibly with same iRule code to workaround the issue where SSL::renegotiate is necessary.

Forum Discussion

SSL Vulnerability

Recent Discussions

BWC iRule

GTM Packet Capture command

Citrix XenServer Big-IP Upgrade help

BIG-IP DNS iRule issue with static variable

F5 ASM logging profile to specify source IP

Related Content

OWASP Automated Threats - OAT-014 Vulnerability Scanning

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

Vulnerability CVE-2023-45648 in ApacheTomcat

Re: Mitigation of OWASP API6: 2019 Mass Assignment vulnerability using F5 Distributed Cloud Platform

Reviewing vulnerability scanner results for an APM protected Virtual Server - part two