CVE-2014-8730

Name of the Vulnerable Software and Affected Versions F5 BIG-IP LTM, APM, and ASM versions 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1 F5 AAM versions 11.4.0 through 11.5.1 F5 AFM versions 11.3.0 through 11.5.1 F5 Analytics versions 11.0.0 through 11.5.1 F5 Edge Gateway, WebAccelerator, and WOM versions 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0 F5 PEM versions 11.3.0 through 11.6.0 F5 PSM versions 10.0.0 through 10.2.4 and 11.0.0 through 11.4.1 F5 BIG-IQ Cloud and Security versions 4.0.0 through 4.4.0 F5 BIG-IQ Device versions 4.2.0 through 4.4.0 PAN-OS versions 6.1.1 and earlier, 6.0.8 and earlier, 5.0.15 and earlier

Description The vulnerability is due to improper block cipher padding implemented in TLSv1 when using Cipher Block Chaining (CBC) mode. An attacker could exploit the vulnerability to perform an "oracle padding" side channel attack on the cryptographic message. A successful exploit could allow the attacker to access sensitive information, such as HTTP cookies or other HTTP authorization content. This issue is a variant of the POODLE vulnerability and can be exploited through a man-in-the-middle attack, requiring the attacker to have access to a trusted, internal network.

Recommendations For F5 BIG-IP LTM, APM, and ASM versions 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, update to a version outside of the affected range. For F5 AAM versions 11.4.0 through 11.5.1, update to a version outside of the affected range. For F5 AFM versions 11.3.0 through 11.5.1, update to a version outside of the affected range. For F5 Analytics versions 11.0.0 through 11.5.1, update to a version outside of the affected range. For F5 Edge Gateway, WebAccelerator, and WOM versions 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, update to a version outside of the affected range. For F5 PEM versions 11.3.0 through 11.6.0, update to a version outside of the affected range. For F5 PSM versions 10.0.0 through 10.2.4 and 11.0.0 through 11.4.1, update to a version outside of the affected range. For F5 BIG-IQ Cloud and Security versions 4.0.0 through 4.4.0, update to a version outside of the affected range. For F5 BIG-IQ Device versions 4.2.0 through 4.4.0, update to a version outside of the affected range. For PAN-OS versions 6.1.1 and earlier, 6.0.8 and earlier, 5.0.15 and earlier, update to a version outside of the affected range. As a temporary workaround, consider disabling the use of TLS 1.x with CBC cipher modes until a patch is available. Restrict access to sensitive information and limit the likelihood of a successful exploit by implementing additional security measures, such as monitoring for suspicious activity and limiting access to trusted networks.