-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.2552
             SOL23512141: OpenSSL vulnerability CVE-2016-2179
                              1 November 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           F5 products
Publisher:         F5 Networks
Operating System:  Network Appliance
                   Virtualisation
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-2179  

Reference:         ASB-2016.0098
                   ASB-2016.0095
                   ESB-2016.2238

Original Bulletin: 
   https://support.f5.com/kb/en-us/solutions/public/k/23/sol23512141.html

- --------------------------BEGIN INCLUDED TEXT--------------------

SOL23512141: OpenSSL vulnerability CVE-2016-2179

Security Advisory

Original Publication Date: 10/31/2016

Vulnerability Description

The DTLS implementation in OpenSSL before 1.1.0 does not properly restrict the
lifetime of queue entries associated with unused out-of-order messages, which
allows remote attackers to cause a denial of service (memory consumption) by 
maintaining many crafted DTLS sessions simultaneously, related to d1_lib.c, 
statem_dtls.c, statem_lib.c, and statem_srvr.c. (CVE-2016-2179)

Impact

An attacker can send a fragmented, incomplete message followed by a 
'retransmission' message. In this case, the system accepts the retransmission
message but the queue retains the original fragments, which consumes system 
resources. By repeating this process many times, the attacker can cause 
resource exhaustion.

Security Issue Status

F5 Product Development has assigned IDs 625372, 625377, and 625392 (BIG-IP) 
and ID 410742 (ARX) to this vulnerability.

To determine if your release is known to be vulnerable, the components or 
features that are affected by the vulnerability, and for information about 
releases or hotfixes that address the vulnerability, refer to the following 
table:

Product 		Versions known to be vulnerable 	Versions known to be not vulnerable 	Severity 	Vulnerable component or feature

BIG-IP LTM 		11.2.1					12.0.0 - 12.1.1				Medium 		Data plane: UDP virtual servers using SSL profiles
			10.2.1 - 10.2.4 			11.4.0 - 11.6.1 

			12.0.0 - 12.1.1				11.2.1 - 11.4.1				Medium 		Control plane: sod process, iAppsLX[1]
			11.5.0 - 11.6.1 			10.2.1 - 10.2.4 

BIG-IP AAM 		12.0.0 - 12.1.1				11.4.0 - 11.4.1 			Medium 		Control plane: sod process, iAppsLX[1]
			11.5.0 - 11.6.1 

BIG-IP AFM 		12.0.0 - 12.1.1				11.4.0 - 11.4.1 			Medium 		Control plane: sod process, iAppsLX[1]
			11.5.0 - 11.6.1 

BIG-IP Analytics 	11.2.1 					12.0.0 - 12.1.1				Medium 		Data plane: UDP virtual servers using SSL profiles
								11.4.0 - 11.6.1 

			12.0.0 - 12.1.1				11.2.1 - 11.4.1 			Medium 		Control plane: sod process, iAppsLX[1]
			11.5.0 - 11.6.1 

BIG-IP APM 		11.2.1					12.0.0 - 12.1.1				Medium 		Data plane: UDP virtual servers using SSL profiles
			10.2.1 - 10.2.4 			11.4.0 - 11.6.1 

			12.0.0 - 12.1.1				11.2.1 - 11.4.1				Medium 		Control plane: sod process, iAppsLX[1]
			11.5.0 - 11.6.1 			10.2.1 - 10.2.4 

BIG-IP ASM 		11.2.1					12.0.0 - 12.1.1				Medium 		Data plane: UDP virtual servers using SSL profiles
			10.2.1 - 10.2.4 			11.4.0 - 11.6.1 

			12.0.0 - 12.1.1				11.2.1 - 11.4.1				Medium 		Control plane: sod process, iAppsLX[1]
			11.5.0 - 11.6.1 			10.2.1 - 10.2.4 

BIG-IP DNS 		12.0.0 - 12.1.1 			None 					Medium 		Control plane: sod process, iAppsLX[1]

BIG-IP Edge Gateway 	11.2.1					None 					Medium 		Data plane: UDP virtual servers using SSL profiles
			10.2.1 - 10.2.4 

BIG-IP GTM 		11.2.1					11.4.0 - 11.6.1 			Medium 		Data plane: UDP virtual servers using SSL profiles
			10.2.1 - 10.2.4 

			11.5.0 - 11.6.1 			11.2.1 - 11.4.1				Medium 		Control plane: sod process, iAppsLX[1]
								10.2.1 - 10.2.4 

BIG-IP Link Controller 	11.2.1					12.0.0 - 12.1.1				Medium 		Data plane: UDP virtual servers using SSL profiles
			10.2.1 - 10.2.4 			11.4.0 - 11.6.1 

			12.0.0 - 12.1.1				11.2.1 - 11.4.1				Medium 		Control plane: sod process, iAppsLX[1]
			11.5.0 - 11.6.1 			10.2.1 - 10.2.4 

BIG-IP PEM 		12.0.0 - 12.1.1				11.4.0 - 11.4.1 			Medium 		Control plane: sod process, iAppsLX[1]
			11.5.0 - 11.6.1 

BIG-IP PSM 		11.2.1					11.4.0 - 11.4.1 			Medium 		Data plane: UDP virtual servers using SSL profiles
			10.2.1 - 10.2.4 

BIG-IP WebAccelerator 	11.2.1					None 					Medium 		Data plane: UDP virtual servers using SSL profiles
			10.2.1 - 10.2.4 

BIG-IP WebSafe 		12.0.0 - 12.1.0				None 					Medium 		Control plane: sod process, iAppsLX[1]
			11.6.0 - 11.6.1 

ARX 			6.2.0 - 6.4.0 				None 					Low 		OpenSSL

Enterprise Manager 	None 					3.1.1 					Not vulnerable 	None

BIG-IQ Cloud 		None 					4.0.0 - 4.5.0 				Not vulnerable 	None

BIG-IQ Device 		None 					4.2.0 - 4.5.0 				Not vulnerable 	None

BIG-IQ Security 	None 					4.0.0 - 4.5.0 				Not vulnerable 	None

BIG-IQ ADC 		None 					4.5.0 					Not vulnerable 	None

BIG-IQ Centralized 	None 					5.0.0 - 5.1.0				Not vulnerable 	None
 Management							4.6.0 
		
BIG-IQ Cloud and 	None 					1.0.0 					Not vulnerable 	None
 Orchestration 

F5 iWorkflow 		None 					2.0.0 - 2.0.1 				Not vulnerable 	None

LineRate 		None 					2.5.0 - 2.6.1 				Not vulnerable 	None

Traffix SDC 		None 					5.0.0					Not vulnerable 	None
								4.0.0 - 4.4.0 

1 iAppsLX is not vulnerable in default configurations. However, iAppsLX 
systems that are customized to enable Datagram Transport Layer Security (DTLS)
may be vulnerable.

Vulnerability Recommended Actions

If you are running a version listed in the Versions known to be vulnerable 
column, you can eliminate this vulnerability by upgrading to a version listed
in the Versions known to be not vulnerable column. If the table lists only an
older version than what you are currently running, or does not list a 
non-vulnerable version, then no upgrade candidate currently exists.

Mitigation

None

Supplemental Information

SOL9970: Subscribing to email notifications regarding F5 products

SOL9957: Creating a custom RSS feed to view new and updated documents

SOL4602: Overview of the F5 security vulnerability response policy

SOL4918: Overview of the F5 critical issue hotfix policy

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWBfmB4x+lLeg9Ub1AQg6qA//fJZoJA89vnajx32uWAFlbqvEXyDOOYkM
PjvGiRUpmJfz2l8hYgxd37sHHNddZopCPHj1Z8OTaqUSmoqLXLgaI8WSSYRZPiGP
6XdigywlaybBhvnhaNpqBParbcZlVNxNmyybI8YGmWfpusk+YGqvtoMA2t66yebo
noVXjeQ3kQ8As/ls+2994pMZTIPfkUEGWUvR3zb1a5DwZPGJVwQsus/OXru+pruI
98gAUZi43tj8E6qETvdE46uOV2GI7g0EX55+R9srG4a/ruiXYoVpzECqnvYqyxsO
m3tVHoaJx85Vm6vQVd5Z3aENl3DATaA4pcaFSrcpKuqdSnIWSd640oIbG0KCu/x8
PlQIwiZVMmNsHY7rKrZOQZ746vJ7+TEMLPbKUQ6Y7UCAlsNI8sqeZaVPunEzNmZ5
+ehHGHZLpTRCrvHusg7Zmr5SC8xQWTX+/NhjuGWXYT6w7yXVQ5zhJGcf1NooIr4h
Qy9Yacb1kkH3GpHpKUDqzW+2OWYG/Fm/QjNXMhlefSj6eSBTotId1ndyrm+1EXKa
L9GFUhjQIYFOM7lE16z1qL9jwTro37Y/pmfhcl1klW2Ib/CFswTT+20h2IQCRpvD
irCKBlXIFV3r/lej3gZAJpMdNhVc82ePRVAIwVlZHezhJ8f6osxbOw3H2dlk3MiN
Xa0EKDkdF64=
=FctL
-----END PGP SIGNATURE-----