Bug ID 507331: Using saved configuration with 11.5.2 on AWS may cause SSLv3 to be enabled.

Last Modified: Mar 21, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP All(all modules)

Known Affected Versions:
11.4.0, 11.4.1, 11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4, 11.6.0 HF5, 11.6.0 HF6, 11.6.0 HF7, 11.6.0 HF8, 11.6.1, 11.6.1 HF1, 11.6.1 HF2, 11.6.2, 11.6.2 HF1, 11.6.3, 11.6.3.1, 11.6.3.2, 11.6.3.3, 11.6.3.4, 11.6.4

Fixed In:
12.0.0, 11.5.3 HF2, 11.4.1 HF9

Opened: Feb 16, 2015
Severity: 3-Major

Symptoms

If a saved configuration from an earlier version is used when launching an instance of BIG-IP v11.5.2 on AWS, then SSLv3 may be enabled on the management interface.

Impact

There are known security issues with SSLv3 and the BIG-IP software disables it by default with v11.5.2 on AWS. An enabled SSLv3 on the management interface might make the instance open to an attack, so after upgrading, configurations in which SSLv3 is enabled should be disabled before deploying.

Conditions

Using configuration saved with version 11.5.2 (and earlier) on AWS.

Workaround

Disable SSLv3 as documented here: https://devcentral.f5.com/articles/cve-2014-3566-removing-sslv3-from-big-ip, and in and in SOL15702: https://support.f5.com/kb/en-us/solutions/public/15000/700/sol15702.html.

Fix Information

SSLv3 is no longer enabled after loading a configuration saved with BIG-IP v11.5.2 or earlier, even if SSLv3 was enabled in the original configuration.

Behavior Change