Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0025.4 K13167034: OpenSSL vulnerability CVE-2016-2183 28 February 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 BIG-IP Products Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-2183 Reference: ASB-2017.0219 ASB-2017.0208 ASB-2017.0169 ESB-2016.2263 ESB-2016.2239.2 ESB-2016.2238 Original Bulletin: https://support.f5.com/csp/article/K13167034 Revision History: February 28 2020: Additional versions known to be not vulnerable added February 21 2020: Vendor updated matrix of vulnerable and fixed versions August 14 2018: Updated security advisory status table. January 2 2018: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- K13167034:OpenSSL vulnerability CVE-2016-2183 Security Advisory Original Publication Date: 05 Oct, 2016 Latest Publication Date: 27 Feb, 2020 Security Advisory Description The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-duration encrypted session, as demonstrated by an HTTPS session using Triple DES in CBC mode, aka a "Sweet32" attack. (CVE-2016-2183) Important: This vulnerability is caused by functionality in the OpenSSL software library. A viable mitigation is available in the mitigation section. There will be no further updates to this article, unless new information is discovered. Impact Remote attackers may be able to obtain cleartext data using a birthday attack against long-duration encrypted sessions. Security Advisory Status F5 Product Development has assigned IDs 615267, 615271, 615270, 615269, 615268, and 615274 (BIG-IP), ID 410742 (ARX), ID 616861 (BIG-IQ and F5 iWorkflow), ID 616862 (Enterprise Manager), ID 528809 (FirePass), and LRS-60936 (LineRate) to this vulnerability. Additionally, BIG-IP iHealth may list Heuristic H13167034, H13167034-1, H13167034-2, and H13167034-3 on the Diagnostics > Identified > Medium page. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. +----------------+---------------+-----------------+----------+---------------+ | |Versions known |Versions known to| |Vulnerable | |Product |to be |be not vulnerable|Severity |component or | | |vulnerable | | |feature | +----------------+---------------+-----------------+----------+---------------+ | | | | | | | | |15.0.0 - 15.1.0 | | | | |13.0.0 |14.0.0 - 14.1.2 | | | | |12.0.0 - 12.1.2|13.0.0 HF1 - |Medium |SSL profiles | | |11.2.1 - 11.6.5|13.1.3 | |(client/server)| | |10.2.1 - 10.2.4|12.1.2 HF1 - | | | | | |12.1.5 | | | | | | | | | | +---------------+-----------------+----------+---------------+ | |15.0.0 - 15.1.0| | | | | |14.0.0 - 14.1.2| | | | | |13.0.0 - 13.1.3|None |Medium |IPSec | | |12.0.0 - 12.1.5| | | | | |11.2.1 - 11.6.5| | | | | +---------------+-----------------+----------+---------------+ |BIG-IP LTM |15.0.0 - 15.1.0| | | | | |14.0.0 - 14.1.2| | | | | |13.0.0 - 13.1.3|None |Medium |tamd | | |12.0.0 - 12.1.5| | | | | |11.2.1 - 11.6.5| | | | | |10.2.4 | | | | | +---------------+-----------------+----------+---------------+ | |13.0.0 - 13.1.3| | | | | |12.0.0 - 12.1.5|15.0.0 - 15.1.0 |Medium |Apache mod_ssl | | |11.2.1 - 11.6.5|14.0.0 - 14.1.2 | | | | |10.2.4 | | | | | +---------------+-----------------+----------+---------------+ | |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | | | |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d | | |11.2.1 - 11.6.5|13.1.0 - 13.1.3 | | | | |10.2.1 - 10.2.4| | | | +----------------+---------------+-----------------+----------+---------------+ | | |15.0.0 - 15.1.0 | | | | |13.0.0 |14.0.0 - 14.1.2 | | | | |12.0.0 - 12.1.2|13.0.0 HF1 - |Medium |SSL profiles | | |11.4.0 - 11.6.5|13.1.3 | |(client/server)| | | |12.1.2 HF1 - | | | | | |12.1.5 | | | | +---------------+-----------------+----------+---------------+ | |15.0.0 - 15.1.0| | | | | |14.0.0 - 14.1.2| | | | |BIG-IP (AAM, |13.0.0 - 13.1.3|None |Medium |IPSec, tamd | |PEM) |12.0.0 - 12.1.5| | | | | |11.2.1 - 11.6.5| | | | | +---------------+-----------------+----------+---------------+ | |13.0.0 - 13.1.3|15.0.0 - 15.1.0 | | | | |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Apache mod_ssl | | |11.4.0 - 11.6.5| | | | | +---------------+-----------------+----------+---------------+ | |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | | | |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d | | |11.4.0 - 11.6.5|13.1.0 - 13.1.3 | | | +----------------+---------------+-----------------+----------+---------------+ | | |15.0.0 - 15.1.0 | | | | |12.1.0 - 12.1.3|14.0.0 - 14.1.2 |Medium |SSH Proxy | | | |13.0.0 - 13.1.3 | | | | | |12.1.3.4 - 12.1.5| | | | +---------------+-----------------+----------+---------------+ | | |15.0.0 - 15.1.0 | | | | |13.0.0 |14.0.0 - 14.1.2 | | | | |12.0.0 - 12.1.2|13.0.0 HF1 - |Medium |SSL profiles | | |11.4.0 - 11.6.5|13.1.3 | |(client/server)| | | |12.1.2 HF1 - | | | | | |12.1.5 | | | | +---------------+-----------------+----------+---------------+ |BIG-IP AFM |15.0.0 - 15.1.0| | | | | |14.0.0 - 14.1.2| | | | | |13.0.0 - 13.1.3|None |Medium |IPSec, tamd | | |12.0.0 - 12.1.5| | | | | |11.4.0 - 11.6.5| | | | | +---------------+-----------------+----------+---------------+ | |13.0.0 - 13.1.3|15.0.0 - 15.1.0 | | | | |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Apache mod_ssl | | |11.4.0 - 11.6.5| | | | | +---------------+-----------------+----------+---------------+ | |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | | | |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d | | |11.4.0 - 11.6.5|13.1.0 - 13.1.3 | | | +----------------+---------------+-----------------+----------+---------------+ | | |15.0.0 - 15.1.0 | | | | |13.0.0 |14.0.0 - 14.1.2 | | | | |12.0.0 - 12.1.2|13.0.0 HF1 - |Medium |SSL profiles | | |11.2.1 - 11.6.5|13.1.3 | |(client/server)| | | |12.1.2 HF1 - | | | | | |12.1.5 | | | | +---------------+-----------------+----------+---------------+ | |15.0.0 - 15.1.0| | | | | |14.0.0 - 14.1.2| | | | |BIG-IP Analytics|13.0.0 - 13.1.3|None |Medium |IPSec, tamd | | |12.0.0 - 12.1.5| | | | | |11.2.1 - 11.6.5| | | | | +---------------+-----------------+----------+---------------+ | |13.0.0 - 13.1.3|15.0.0 - 15.1.0 | | | | |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Apache mod_ssl | | |11.2.1 - 11.6.5| | | | | +---------------+-----------------+----------+---------------+ | |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | | | |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d | | |11.2.1 - 11.6.5|13.1.0 - 13.1.3 | | | +----------------+---------------+-----------------+----------+---------------+ | |15.0.0 - 15.1.0| | | | | |14.0.0 - 14.1.2| | | | | |13.0.0 - 13.1.3|None |Medium |Oracle Access | | |12.0.0 - 12.1.5| | |Manager, tamd | | |11.2.1 - 11.6.5| | | | | |10.2.1 - 10.2.4| | | | | +---------------+-----------------+----------+---------------+ | | |15.0.0 - 15.1.0 | | | | |13.0.0 |14.0.0 - 14.1.2 | | | | |12.0.0 - 12.1.2|13.0.0 HF1 - |Medium |SSL profiles | | |11.2.1 - 11.6.5|13.1.3 | |(client/server)| | |10.2.1 - 10.2.4|12.1.2 HF1 - | | | | | |12.1.5 | | | | +---------------+-----------------+----------+---------------+ | |15.0.0 - 15.1.0| | | | | |14.0.0 - 14.1.2| | | | | |13.0.0 - 13.1.3|None |Medium |IPSec | |BIG-IP APM |12.0.0 - 12.1.5| | | | | |11.2.1 - 11.6.5| | | | | +---------------+-----------------+----------+---------------+ | |15.0.0 - 15.1.0| | | | | |14.0.0 - 14.1.2| | | | | |13.0.0 - 13.1.3|None |Medium |tamd | | |12.0.0 - 12.1.5| | | | | |11.2.1 - 11.6.5| | | | | |10.2.1 - 10.2.4| | | | | +---------------+-----------------+----------+---------------+ | |13.0.0 - 13.1.3| | | | | |12.0.0 - 12.1.5|15.0.0 - 15.1.0 |Medium |Apache mod_ssl | | |11.2.1 - 11.6.5|14.0.0 - 14.1.2 | | | | |10.2.1 - 10.2.4| | | | | +---------------+-----------------+----------+---------------+ | |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | | | |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d | | |11.2.1 - 11.6.5|13.1.0 - 13.1.3 | | | | |10.2.1 - 10.2.4| | | | +----------------+---------------+-----------------+----------+---------------+ | | |15.0.0 - 15.1.0 | | | | |13.0.0 |14.0.0 - 14.1.2 | | | | |12.0.0 - 12.1.2|13.0.0 HF1 - |Medium |SSL profiles | | |11.2.1 - 11.6.5|13.1.3 | |(client/server)| | |10.2.1 - 10.2.4|12.1.2 HF1 - | | | | | |12.1.5 | | | | +---------------+-----------------+----------+---------------+ | |15.0.0 - 15.1.0| | | | | |14.0.0 - 14.1.2| | | | | |13.0.0 - 13.1.3|None |Medium |IPSec | | |12.0.0 - 12.1.5| | | | | |11.2.1 - 11.6.5| | | | | +---------------+-----------------+----------+---------------+ | |15.0.0 - 15.1.0| | | | |BIG-IP ASM |14.0.0 - 14.1.2| | | | | |13.0.0 - 13.1.3|None |Medium |tamd | | |12.0.0 - 12.1.5| | | | | |11.2.1 - 11.6.5| | | | | |10.2.1 - 10.2.4| | | | | +---------------+-----------------+----------+---------------+ | |13.0.0 - 13.1.3| | | | | |12.0.0 - 12.1.5|15.0.0 - 15.1.0 |Medium |Apache mod_ssl | | |11.2.1 - 11.6.5|14.0.0 - 14.1.2 | | | | |10.2.1 - 10.2.4| | | | | +---------------+-----------------+----------+---------------+ | |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | | | |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d | | |11.2.1 - 11.6.5|13.1.0 - 13.1.3 | | | | |10.2.1 - 10.2.4| | | | +----------------+---------------+-----------------+----------+---------------+ | |15.0.0 - 15.1.0| | | | | |14.0.0 - 14.1.2|None |Medium |tamd | | |13.0.0 - 13.1.3| | | | | |12.0.0 - 12.1.5| | | | | +---------------+-----------------+----------+---------------+ |BIG-IP DNS |13.0.0 - 13.1.3|15.0.0 - 15.1.0 |Medium |Apache mod_ssl | | |12.0.0 - 12.1.5|14.0.0 - 14.1.2 | | | | +---------------+-----------------+----------+---------------+ | |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | | | |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d | | | |13.1.0 - 13.1.3 | | | +----------------+---------------+-----------------+----------+---------------+ | |11.2.1 |None |Medium |SSL profiles | | |10.2.1 - 10.2.4| | |(client/server)| | +---------------+-----------------+----------+---------------+ | |11.2.1 |None |Medium |IPSec | | +---------------+-----------------+----------+---------------+ |BIG-IP Edge |11.2.1 |None |Medium |tamd | |Gateway |10.2.1 - 10.2.4| | | | | +---------------+-----------------+----------+---------------+ | |11.2.1 |None |Medium |Apache mod_ssl | | |10.2.1 - 10.2.4| | | | | +---------------+-----------------+----------+---------------+ | |11.2.1 |None |Medium |Big3d | | |10.2.1 - 10.2.4| | | | +----------------+---------------+-----------------+----------+---------------+ | |11.4.0 - 11.6.5| | | | | |11.2.1 |None |Medium |tamd | | |10.2.1 - 10.2.4| | | | | +---------------+-----------------+----------+---------------+ | |11.4.0 - 11.6.5| | | | |BIG-IP GTM |11.2.1 |None |Medium |Apache mod_ssl | | |10.2.1 - 10.2.4| | | | | +---------------+-----------------+----------+---------------+ | |11.4.0 - 11.6.5| | | | | |11.2.1 |None |Medium |Big3d | | |10.2.1 - 10.2.4| | | | +----------------+---------------+-----------------+----------+---------------+ | |15.0.0 - 15.1.0| | | | | |14.0.0 - 14.1.2|None |Medium |IPSec | | |13.0.0 - 13.1.3| | | | | |11.2.1 - 11.6.5| | | | | +---------------+-----------------+----------+---------------+ | |15.0.0 - 15.1.0| | | | | |14.0.0 - 14.1.2| | | | | |13.0.0 - 13.1.3|None |Medium |tamd | | |11.2.1 - 11.6.5| | | | |BIG-IP Link |10.2.1 - 10.2.4| | | | |Controller +---------------+-----------------+----------+---------------+ | |13.0.0 - 13.1.3| | | | | |12.0.0 - 12.1.5|15.0.0 - 15.1.0 |Medium |Apache mod_ssl | | |11.2.1 - 11.6.5|14.0.0 - 14.1.2 | | | | |10.2.1 - 10.2.4| | | | | +---------------+-----------------+----------+---------------+ | |13.0.0 - 13.0.1|15.0.0 - 15.1.0 | | | | |12.0.0 - 12.1.5|14.0.0 - 14.1.2 |Medium |Big3d | | |11.2.1 - 11.6.5|13.1.0 - 13.1.3 | | | | |10.2.1 - 10.2.4| | | | +----------------+---------------+-----------------+----------+---------------+ | |11.4.0 - 11.4.1|None |Medium |SSL profiles | | |10.2.1 - 10.2.4| | |(client/server)| | +---------------+-----------------+----------+---------------+ | |11.4.0 - 11.4.1|None |Medium |IPSec | | +---------------+-----------------+----------+---------------+ | |11.4.0 - 11.4.1|None |Medium |tamd | |BIG-IP PSM |10.2.1 - 10.2.4| | | | | +---------------+-----------------+----------+---------------+ | |11.4.0 - 11.4.1|None |Medium |Apache mod_ssl | | |10.2.1 - 10.2.4| | | | | +---------------+-----------------+----------+---------------+ | |11.4.0 - 11.4.1|None |Medium |Big3d | | |10.2.1 - 10.2.4| | | | +----------------+---------------+-----------------+----------+---------------+ | |11.2.1 - 11.3.0|None |Medium |SSL profiles | | |10.2.1 - 10.2.4| | |(client/server)| | +---------------+-----------------+----------+---------------+ | |11.2.1 - 11.3.0|None |Medium |IPSec | | +---------------+-----------------+----------+---------------+ |BIG-IP |11.2.1 - 11.3.0|None |Medium |tamd | |(WebAccelerator,|10.2.1 - 10.2.4| | | | |WOM) +---------------+-----------------+----------+---------------+ | |11.2.1 - 11.3.0|None |Medium |Apache mod_ssl | | |10.2.1 - 10.2.4| | | | | +---------------+-----------------+----------+---------------+ | |11.2.1 - 11.3.0|None |Medium |Big3d | | |10.2.1 - 10.2.4| | | | +----------------+---------------+-----------------+----------+---------------+ | | |13.0.0 - 13.1.3 |Not | | |BIG-IP WebSafe |None |12.0.0 - 12.1.5 |vulnerable|None | | | |11.6.0 - 11.6.5 | | | +----------------+---------------+-----------------+----------+---------------+ |ARX |6.2.0 - 6.4.0 |None |Low |OpenSSL | +----------------+---------------+-----------------+----------+---------------+ |Enterprise | | | |Apache | |Manager |3.1.1 |None |Medium |OpenSSH | | | | | |Big3d | +----------------+---------------+-----------------+----------+---------------+ |FirePass |7.0.0 |None |Low |OpenSSL | +----------------+---------------+-----------------+----------+---------------+ | | | | |Webd | |BIG-IQ Cloud |4.0.0 - 4.5.0 |None |Medium |OpenSSH | | | | | |Big3d | +----------------+---------------+-----------------+----------+---------------+ | | | | |Webd | |BIG-IQ Device |4.2.0 - 4.5.0 |None |Medium |OpenSSH | | | | | |Big3d | +----------------+---------------+-----------------+----------+---------------+ | | | | |Webd | |BIG-IQ Security |4.0.0 - 4.5.0 |None |Medium |OpenSSH | | | | | |Big3d | +----------------+---------------+-----------------+----------+---------------+ | | | | |Webd | |BIG-IQ ADC |4.5.0 |None |Medium |OpenSSH | | | | | |Big3d | +----------------+---------------+-----------------+----------+---------------+ | |5.0.0 - 7.0.0.1|None |Medium |Webd | | |4.6.0 | | | | |BIG-IQ +---------------+-----------------+----------+---------------+ |Centralized |5.0.0 - 7.0.0.1|None |Medium |OpenSSH | |Management |4.6.0 | | | | | +---------------+-----------------+----------+---------------+ | |5.0.0 - 5.1.0 |5.2.0 - 5.4.0 |Medium |Big3d | | |4.6.0 | | | | +----------------+---------------+-----------------+----------+---------------+ |BIG-IQ Cloud and| | | |Webd | |Orchestration |1.0.0 |None |Medium |OpenSSH | | | | | |Big3d | +----------------+---------------+-----------------+----------+---------------+ | | | | |Apache | |F5 iWorkflow |2.0.0 - 2.3.0 |None |Medium |OpenSSH | | | | | |Big3d | +----------------+---------------+-----------------+----------+---------------+ |LineRate |2.5.0 - 2.6.1 |None |Low |SSL/TLS | +----------------+---------------+-----------------+----------+---------------+ | | | | |OpenSSL | | |5.1.0 |None |Low |Network | | | | | |Security | |Traffix SDC | | | |Services, NSS | | +---------------+-----------------+----------+---------------+ | |5.0.0 |None |Low |OpenSSL | | |4.0.0 - 4.4.0 | | | | +----------------+---------------+-----------------+----------+---------------+ ^1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge. Security Advisory Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. To determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems . Mitigation The following mitigation options are available for the BIG-IP system: SSL profiles You can mitigate this issue for the SSL profiles by disabling 3DES (DES-CBC3) ciphers for the affected profile. For information about configuring the cipher strength for the SSL profiles, refer to K17370: Configuring the cipher strength for SSL profiles (12.x - 13.x). Important: The following mitigation will not work for BIG-IP 13.0.0 due to an issue being tracked by F5 Product Development as ID 649369. For assistance mitigating this issue for BIG-IP 13.0.0 please contact F5 Support and reference this article and ID 649369. You can disable 3DES in SSL profile ciphers by adding !3DES or -3DES to the current cipher string in the Ciphers field. Note: When you use the ! symbol preceding a cipher, the SSL profile permanently removes the cipher from the cipher list, even if the cipher is explicitly stated later in the cipher string. When you use the - symbol preceding a cipher, the SSL profile removes the cipher from the cipher list, but the cipher can be added back to the cipher list if there are later options that allow it. For example, if the current cipher string is DEFAULT, the updated cipher string becomes DEFAULT:!3DES. Some TLS rating sites treat the ability to negotiate 3DES with TLS 1.2 differently than they treat 3DES availability with TLS 1.0 or TLS 1.1. The rationale behind this logic is that legacy clients are not expected to negotiate TLS 1.2 and thus there is no reason for a TLS server to offer 3DES with TLS 1.2. If you want to enable 3DES with TLS 1.0 and TLS 1.1 only, but not TLS 1.2, you can use the following cipher string: - -3DES:TLSv1_1+3DES:TLSv1+3DES. For example, if the current cipher string is DEFAULT, the updated cipher string becomes DEFAULT:-3DES:TLSv1_1+3DES:TLSv1+3DES. Beginning in 12.1.2 HF1 the BIG-IP system implements the TLS session data limit for 3DES that makes the use of 3DES secure on the BIG-IP system in reference to the SWEET32 attack. Unfortunately, SSL rating sites cannot easily detect the presence of this fix. Auditing this fix requires sending of over 1 GB of data in a single TLS session. For earlier versions of BIG-IP systems without the data limit fix, you should take the following alternative steps when 3DES is enabled. Note that you do not need to take the following steps if only modern block ciphers are enabled, such as AES or CAMELIA. Alternatively, if disabling 3DES ciphers is not possible and you are running a version earlier than 12.1.2 HF1, you can modify the SSL profile and set the Renegotiation Size setting to 1 GB. To do so, perform the following procedure: Impact of procedure: Performing the following procedure should not have a negative impact on your system. 1. Log in to the TMOS Shell (tmsh) by typing the following command: tmsh 2. Change the renegotiation size to 1 GB for the profile using the following command syntax: modify /ltm profile client-ssl <profile_name> renegotiate-size 1000 For example, the following command changes the renegotiation size to 1 GB for the SSL profile named MyClientSSL: modify /ltm profile client-ssl MyClientSSL renegotiate-size 1000 3. Save the changes by typing the following command: save /sys config Authentication profiles (tamd) To mitigate this issue, disable 3DES on the server side to prevent negotiation of the vulnerable cipher. Configuration utility To mitigate this vulnerability for the Configuration utility, you should permit management access to F5 products only over a secure network. For more information, refer to K13092: Overview of securing access to the BIG-IP system. BIG-IP APM - Oracle Access Manager To mitigate this vulnerability for Oracle Access Manager (OAM), you should monitor traffic patterns between the BIG-IP system and back-end OAM systems for traffic anomalies, or force rekeying on an appropriate interval on their application server. IPsec To mitigate this vulnerability for IPsec, in your IPsec policy, you should use AES ciphers, or if you cannot use AES ciphers, configure the KBLifetime to 1048576 KB (1 GB) or less. BIG-IQ big3d To mitigate this vulnerability for the big3d component of BIG-IQ, perform the following procedure: Impact of procedure: BIG-IQ does not use the big3d component and F5 product development has removed it starting in BIG-IQ 5.2.0. Performing the following procedure should not have a negative impact on your system. 1. Log in to tmsh by typing the following command: tmsh 2. Disable the big3d component which will stop the service and prevent it from starting on subsequent reboots by typing the following command: modify /sys service big3d disable OpenSSH To mitigate this vulnerability for the OpenSSH component of the BIG-IQ system, you can disable the 3DES (DES-CBC3) ciphers for the SSH service on your BIG-IQ system. To do so, refer to K80425458: Modifying the list of ciphers and MAC and key exchange algorithms used by the SSH service on the BIG-IP system or BIG-IQ system. Webd To mitigate this vulnerability for the Webd component of the BIG-IQ system, you can disable the 3DES (DES-CBC3) ciphers for the Webd service on your BIG-IQ system. To modify the ciphers enabled on the BIG-IQ user interface, refer to K17007: Restricting BIG-IQ user interface access to clients using high-encryption SSL ciphers and protocols. You can disable 3DES in the SSL ciphers by adding !3DES to the current cipher string in the ssl_ciphers field. For example, if the current cipher string is ECDHE-RSA-AES128-GCM-SHA256;, the updated cipher string becomes ECDHE-RSA-AES128-GCM-SHA256:!3DES;. Supplemental Information o K9970: Subscribing to email notifications regarding F5 products o K9957: Creating a custom RSS feed to view new and updated documents o K4602: Overview of the F5 security vulnerability response policy o K4918: Overview of the F5 critical issue hotfix policy o K167: Downloading software and firmware from F5 o K13123: Managing BIG-IP product hotfixes (11.x - 15.x) o K9502: BIG-IP hotfix and point release matrix o K15106: Managing BIG-IQ product hotfixes o K15113: BIG-IQ hotfix matrix o K10322: FirePass hotfix matrix o K12766: ARX hotfix matrix - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXlivC2aOgq3Tt24GAQgsIRAAo3psf1Uwjb0UAXpgg5r378HJc4jaq+0K 27mzBuIf3Y6FhtTumRJsDGpIKG1TjsAuSsEpapKy2yabMqcqKO9TMHhaolOFaljX Mwl6H2PMpdRR9iO3csx2f4zS+sBE9ZXh2XLfTljzFN0Pzpc0GPZYcgVMVVic3HEp oqmJcORM00NkdeXQEuRGg1doY3t4QP1asdNaMbp+XpqIDK0hw6pnUFCB2mfqxxTX D8XM/YfVEenF/6XMPsXtIf/S1EnqnlIdkmrABeqlPtX7TEB4v/VBOcr+/+baYvOb fgl9TRFrQi+8lXfTQJkZENCzKPjIC+SBS1ClssciHsSJ3zRIRpMkCvz5hX64v/tg BUIzRCHkM/rPZAodt0AfYlFd/GKcYuHHvysYawMNpN089NePhmdg8N0CIlNKuqM3 HboMTgCi7Xfq4zExirRvuViL+rDzrxviw+nMD6HrbEqp2X9bVnXU6V6dkt35KxbQ DMnUB5Eu81HV/UNY+3BKzBzQtWMT8F4ngLcJG0nwuKxwVWy78AExsuBFNe6FoS7d bsQaL4Y2jHNMICrRmXDfUUL1zOzZNQXMzW/CQEPNKPwkUIFDEmoiM+xZXwsqwsUU u976cWzh5LvdjK0sXkgN78aw4jYfIOsbLT7UbdlZv+jDN7whLzvG3ip368UVAJBJ TdEToWjPeqQ= =ndjg -----END PGP SIGNATURE-----