F5 Networks - OpenSSL Heartbleed Vulnerability

Number: AL14-014
Date: 14 April 2014

Purpose

The purpose of this Alert is to bring attention to recently released solution for various F5 Network products.

Assessment

F5 Networks has released a solution to address the OpenSSL Heartbleed vulnerability for the following products.

BIG-IP LTM
BIG-IP AAM
BIG-IP AFM
BIG-IP Analytics
BIG-IP APM
BIG-IP ASM
BIG-IP GTM
BIG-IP Link Controller
BIG-IP PEM
BIG-IP Edge Clients for Apple iOS
BIG-IP Edge Clients for Linux
BIG-IP Edge Clients for MAC OS X
BIG-IP Edge Clients for Windows

CVE Reference: CVE-2014-0160

Affected versions:
BIG-IP LTM        11.5.0 - 11.5.1
BIG-IP AAM       11.5.0 - 11.5.1  
BIG-IP AFM       11.5.0 - 11.5.1  
BIG-IP Analytics               11.5.0 - 11.5.1  
BIG-IP APM       11.5.0 - 11.5.1  
BIG-IP ASM       11.5.0 - 11.5.1  
BIG-IP GTM       11.5.0 - 11.5.1  
BIG-IP Link Controller    11.5.0 - 11.5.1  
BIG-IP PEM        11.5.0 - 11.5.1  
BIG-IP Edge Clients for Apple iOS             2.0.0 - 2.0.1, 1.0.5 - 1.0.6
BIG-IP Edge Clients for Linux      7080 – 7101
BIG-IP Edge Clients for MAC OS X            7080 - 7101
BIG-IP Edge Clients for Windows             7080 - 7101

Suggested action

CCIRC recommends that system administrators test and deploy the vendor released solution for the affected platforms accordingly.

References

F5 Networks
http://support.f5.com/kb/en-us/solutions/public/15000/100/sol15159.html

CCIRC's AV14-017 OpenSSL Vulnerability
http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2014/av14-017-eng.aspx

CCIRC's AL14-005 OpenSSL Heartbleed Vulnerability http://www.publicsafety.gc.ca/cnt/rsrcs/cybr-ctr/2014/al14-005-eng.aspx

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: