QID 376544

Date Published: 2022-04-28

QID 376544: F5 BIG-IP Application Security Manager (ASM), Local Traffic Manager (LTM), Access Policy Manager (APM) Open Secure Sockets Layer (OpenSSL) Vulnerability (K24624116)

Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform. In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative. This could cause applications to behave incorrectly or crash. OpenSSL versions 1.1.1i and below are affected by this issue. Users of these versions should upgrade to OpenSSL 1.1.1j. OpenSSL versions 1.0.2x and below are affected by this issue. However OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2y. Other users should upgrade to 1.1.1j. Fixed in OpenSSL 1.1.1j (Affected 1.1.1-1.1.1i). Fixed in OpenSSL 1.0.2y (Affected 1.0.2-1.0.2x). (CVE-2021-23840)

Vulnerable Component: BIG-IP ASM,LTM,APM

Affected Versions:
16.0.0 - 16.1.2
15.1.0 - 15.1.5
14.1.2 - 14.1.4
14.1.0.3 - 14.1.0.6
13.1.1 - 13.1.4
12.1.2 HF1 - 12.1.6

QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of F5 BIG-IP devices using the tmsh command.

An attacker may trigger a buffer overflow resulting in a core file and denial of service (DoS).

  • CVSS V3 rated as High - 7.5 severity.
  • CVSS V2 rated as Medium - 5 severity.
    • Solution
    For more information about patch details please refer to K24624116Workaround:
    The only mitigation for vulnerable BIG-IP systems is to disable FIPS 140-2 Level 1 Compliant mode. By doing so, vulnerable OpenSSL code-paths are not executed, and acceleration is done either by hardware or by Intel Integrated Performance Primitives (Intel IPP) software libraries that are not vulnerable. To disable FIPS 140-2 Level 1 Compliant mode, perform the following steps:
    1. Log in to the TMOS Shell (tmsh) by entering the following command:
    tmsh

    2. To disable the FIPS 140-2 Compliant mode, enter the following command:
    modify sys db security.fips140.compliance value false

    Vendor References

    CVEs related to QID 376544

    CVE-2021-23840 |
    Software Advisories
    Advisory ID Software Component Link
    K24624116 URL Logo support.f5.com/csp/article/K24624116
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].