copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.0978 - [Appliance] F5 BIG-IP products: Multiple vulnerabilities

Date: 16 June 2014
References: ESB-2014.0543  ESB-2014.0624.2  ESB-2014.0887  ESB-2014.0888  ASB-2014.0068  ASB-2014.0069.2  ASB-2014.0071  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0978
               sol15328: OpenSSL vulnerability CVE-2010-5298
                               16 June 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BIG-IP APM
                   ARX
                   BIG-IQ Cloud
                   BIG-IQ Device
                   BIG-IQ Security
Publisher:         F5
Operating System:  Network Appliance
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2010-5298  

Reference:         ASB-2014.0071
                   ASB-2014.0069.2
                   ASB-2014.0068
                   ESB-2014.0888
                   ESB-2014.0887
                   ESB-2014.0624.2
                   ESB-2014.0543

Original Bulletin: 
   http://support.f5.com/kb/en-us/solutions/public/15000/300/sol15328.html

- --------------------------BEGIN INCLUDED TEXT--------------------

sol15328: OpenSSL vulnerability CVE-2010-5298

Security Advisory

Original Publication Date: 06/13/2014

Description

A race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL 
through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled. (CVE-201-5298)

Impact

Allows remote attackers to inject data across sessions or cause a 
denial-of-service (use-after-free and parsing error) through an SSL connection
in a multi-threaded environment.

Status

F5 Product Development has assigned ID 465338 (BIG-IP APM), ID 464623 
(BIG-IQ), and ID 410742 (ARX) to this vulnerability.

To determine if your release is known to be vulnerable, the components or 
features that are affected by the vulnerability, and for information about 
releases or hotfixes that address the vulnerability, refer to the following 
table:

Product 	Versions known to be vulnerable 	Versions known to be not vulnerable 	Vulnerable component or feature
BIG-IP APM 	11.5.0 - 11.5.1			 	11.0.0 - 11.4.1	 			curl-apd
							10.1.0 - 10.2.4

ARX 		6.0.0 - 6.4.0			 	None					ARX GUI

BIG-IQ Cloud 	4.0.0 - 4.3.0				None					nginx (webd)

BIG-IQ Device 	4.2.0 - 4.3.0				None					nginx (webd)

BIG-IQ Security	4.0.0 - 4.3.0				None					nginx (webd)

Recommended action

If the previous table lists a version in the Versions known to be not
vulnerable column, you can eliminate this vulnerability by upgrading to the 
listed version. If the table does not list any version in the column, then no 
upgrade candidate currently exists.

Supplemental Information

    CVE-201-5298
    SOL9970: Subscribing to email notifications regarding F5 products
    SOL9957: Creating a custom RSS feed to view new and updated documents.
    SOL4602: Overview of the F5 security vulnerability response policy
    SOL4918: Overview of the F5 critical issue hotfix policy
    SOL167: Downloading software and firmware from F5

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU5471RLndAQH1ShLAQKNrBAAmoJWKRWfltT3241Nkz578ydsMDSokejV
CVKjG0muXMA1y1CLtChqSwVz6DhN7WX6edjx+Y+EEgiPvxUaQoZGaNpbFn39HuIt
19/CPQ0JJkirmggowoASIW7s7ifn9P7hz3FwfhHVrk43LnDy1KgdJ9PCvdNZr/hu
Vw9NyHwwd2qYoSHRnTNTE9+mhGJd/34VmyEAEgg2rrLnaL4ffVPGJlx3S7+IFCxY
S90hPuILJKi8SlevnPeHm0AjOyiX4Lpt3WkliVZ4RmpObcW38435og5YQXTXtAVc
75wzPW8655gf6KssUeoT4FNOmbLD/nFGF0y3xfqIZ+9Wrm4H0Gjd4NlLdA15glwE
Os/WW1Nd6I98z0C7I+Jh/rNBub3qL589q3z2z/T+VdVOGHBLe76hB7qMEWHH2anG
fr4lcCb5BL/eCQvvrRoRVk0DyHcsgU+a2fqnUtdjNuagC4KJ+gRo/aXQW8F0LCDq
h4yFbSuVCIAdWQQ7AG0Js/x+vJC9OvCwc+qzp8nu21Ww/phf6vrtYC+vhHipArJK
LHxl4QoiPLGxClOjdM9fh79gawuoLsF1tzYqJ+T1gbvNQUycDj/odlbOLC3himsE
ZatQxMKT9A0BGJhkU31imMx8dEAE38dohSPyQoob5Mv6dZlg9NC63ogcBi9Rry3K
uuadmRCMZ2s=
=COdf
-----END PGP SIGNATURE-----