16 June 2014
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0978 sol15328: OpenSSL vulnerability CVE-2010-5298 16 June 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BIG-IP APM ARX BIG-IQ Cloud BIG-IQ Device BIG-IQ Security Publisher: F5 Operating System: Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2010-5298 Reference: ASB-2014.0071 ASB-2014.0069.2 ASB-2014.0068 ESB-2014.0888 ESB-2014.0887 ESB-2014.0624.2 ESB-2014.0543 Original Bulletin: http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15328.html - --------------------------BEGIN INCLUDED TEXT-------------------- sol15328: OpenSSL vulnerability CVE-2010-5298 Security Advisory Original Publication Date: 06/13/2014 Description A race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled. (CVE-201-5298) Impact Allows remote attackers to inject data across sessions or cause a denial-of-service (use-after-free and parsing error) through an SSL connection in a multi-threaded environment. Status F5 Product Development has assigned ID 465338 (BIG-IP APM), ID 464623 (BIG-IQ), and ID 410742 (ARX) to this vulnerability. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: Product Versions known to be vulnerable Versions known to be not vulnerable Vulnerable component or feature BIG-IP APM 11.5.0 - 11.5.1 11.0.0 - 11.4.1 curl-apd 10.1.0 - 10.2.4 ARX 6.0.0 - 6.4.0 None ARX GUI BIG-IQ Cloud 4.0.0 - 4.3.0 None nginx (webd) BIG-IQ Device 4.2.0 - 4.3.0 None nginx (webd) BIG-IQ Security 4.0.0 - 4.3.0 None nginx (webd) Recommended action If the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version. If the table does not list any version in the column, then no upgrade candidate currently exists. Supplemental Information CVE-201-5298 SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents. SOL4602: Overview of the F5 security vulnerability response policy SOL4918: Overview of the F5 critical issue hotfix policy SOL167: Downloading software and firmware from F5 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU5471RLndAQH1ShLAQKNrBAAmoJWKRWfltT3241Nkz578ydsMDSokejV CVKjG0muXMA1y1CLtChqSwVz6DhN7WX6edjx+Y+EEgiPvxUaQoZGaNpbFn39HuIt 19/CPQ0JJkirmggowoASIW7s7ifn9P7hz3FwfhHVrk43LnDy1KgdJ9PCvdNZr/hu Vw9NyHwwd2qYoSHRnTNTE9+mhGJd/34VmyEAEgg2rrLnaL4ffVPGJlx3S7+IFCxY S90hPuILJKi8SlevnPeHm0AjOyiX4Lpt3WkliVZ4RmpObcW38435og5YQXTXtAVc 75wzPW8655gf6KssUeoT4FNOmbLD/nFGF0y3xfqIZ+9Wrm4H0Gjd4NlLdA15glwE Os/WW1Nd6I98z0C7I+Jh/rNBub3qL589q3z2z/T+VdVOGHBLe76hB7qMEWHH2anG fr4lcCb5BL/eCQvvrRoRVk0DyHcsgU+a2fqnUtdjNuagC4KJ+gRo/aXQW8F0LCDq h4yFbSuVCIAdWQQ7AG0Js/x+vJC9OvCwc+qzp8nu21Ww/phf6vrtYC+vhHipArJK LHxl4QoiPLGxClOjdM9fh79gawuoLsF1tzYqJ+T1gbvNQUycDj/odlbOLC3himsE ZatQxMKT9A0BGJhkU31imMx8dEAE38dohSPyQoob5Mv6dZlg9NC63ogcBi9Rry3K uuadmRCMZ2s= =COdf -----END PGP SIGNATURE-----