Bug ID 465908: CVE-2014-0224: behavior change

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP All(all modules)

Known Affected Versions:
11.2.1, 11.3.0, 11.4.0, 11.4.1, 11.5.0, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2

Fixed In:
11.6.0, 11.5.1 HF3, 11.5.0 HF4, 11.4.1 HF9, 11.3.0 HF9, 11.2.1 HF15

Opened: Jun 06, 2014

Severity: 3-Major

Symptoms

BIG-IP virtual servers doing TLS termination are not vulnerable to CVE-2014-0224. OpenSSL has made a change to disallow early change cipher spec messages. This fix imitates that behavior.

Impact

We should not tolerate the received wrong SSL message sequence. In this case, CCS(change-cipher-spec) is received before Client key exchange.

Conditions

CCS(change-cipher-spec) is received before Client key exchange

Workaround

N/A

Fix Information

BIG-IP TLS virtual servers will now reject the connection when an early CCS message is received.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips