N/A

The SSL profiles component in F5 BIG-IP LTM, APM, and ASM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, AAM 11.4.0 through 11.5.1, AFM 11.3.0 through 11.5.1, Analytics 11.0.0 through 11.5.1, Edge Gateway, WebAccelerator, and WOM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, PEM 11.3.0 through 11.6.0, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.4.1 and BIG-IQ Cloud and Security 4.0.0 through 4.4.0 and Device 4.2.0 through 4.4.0, when using TLS 1.x before TLS 1.2, does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE). NOTE: the scope of this identifier is limited to the F5 implementation only. Other vulnerable implementations should receive their own CVE ID, since this is not a vulnerability within the design of TLS 1.x itself.

N/A

N/A

多款F5产品信息泄露漏洞

F5 BIG-IP LTM等都是美国F5公司的产品。LTM是一款本地流量管理器；APM是一套提供安全统一访问关键业务应用和网络的解决方案。 多款F5产品的SSL配置文件组件中存在安全漏洞，该漏洞源于程序使用1.2之前1.x版本的TLS时，终止连接时没有正确检查CBC填充字节。攻击者可借助padding-oracle攻击利用该漏洞实施中间人攻击，获取明文数据。以下产品和版本受到影响：F5 BIG-IP LTM，APM，ASM 10.0.0版本至10.2.4版本和11.0.0版本至11.5.1版本，AAM 1

N/A

N/A