Any official statement on latest openssl vulnerability CVE-2014-3569 ?

Question

Are any versions impacted for CVE-2014-3569 ? &nbsp;
The NVD score is Medium but it seems so easy to exploit this remotely and it is also pre-authentication so mandatory client certificates will not help you either.&nbsp;
Any iRule logic to identify the signature via binary scan ? &nbsp;
Best.&nbsp;

brad_parker · Answer

Since it is OpenSSL I would assume it would only affect the management GUI and potentially SSL profiles that use COMPAT ciphers. As with many OpenSSL vulnerabilities, one would assume if you are using the NATIVE cipher stack, the traffic interface shouldn't be affected.

pascal_tene_910 · Answer

This only affects OpenSSL 1.0.1j. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3569
You can check which openSSL version you are using from CLI by running the command openssl version.
BigIP version 11.6.0 uses OpenSSL 1.0.1h. it is highly probable that no BigIP version is affected by this CVE.
No Official statement at the moment.&nbsp;

Forum Discussion

Any official statement on latest openssl vulnerability CVE-2014-3569 ?

2 Replies

Recent Discussions

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

F5 loadbalancer not working

Pricing when used with aws waf

F5 terminal - help to run commands - disk space full

Related Content

Reviewing vulnerability scanner results for an Access Policy Manager (APM) protected Virtual Server

OWASP Automated Threats - OAT-014 Vulnerability Scanning

Vulnerability CVE-2023-45648 in ApacheTomcat

APM AdAuth HTTP Header Insert iRule Switch Statement

Reviewing vulnerability scanner results for an APM protected Virtual Server - part two