Jul 2, 2020

POODLE Vulnerability Affects TLS 1.0, TLS 1.1

Poodle v2

It has been recently discovered that the POODLE vulnerability affects more than simply SSL 3.0. Improper checking of TLS “padding” means that the vulnerability may also be used to exploit TLS 1.0 and TLS 1.1.
This vulnerability was found in sites using load balancers from two manufacturers, F5 and A10. These manufacturers have already released patches for their products which can be found in the links provided below. 
This vulnerability does NOT affect your SSL certificate. There is no need to re-issue, or revoke and certificates as your private key has not been compromised

What should I do?

1. Check if your server is vulnerable by using the Qualys SSL Labs SSL Server test.
2. Apply the patch provided by your vendor. F5's are here; A10's are here. We'll add other affected vendors as they are announced.
Note: This vulnerability does not affect the SSL Certificates themselves. There is no need to resissue, renew, or reinstall any certificates at this time.
Affected Version
F5

Product	Versions known to be vulnerable	Versions known to be not vulnerable	Vulnerable component or feature
BIG-IP LTM	11.0.0 - 11.5.1 10.0.0 - 10.2.4	11.6.0 11.5.1 HF6 11.5.0 HF6 11.4.1 HF6 11.4.0 HF9 11.2.1 HF13 10.2.4 HF10	SSL profiles
BIG-IP AAM	11.4.0 - 11.5.1	11.6.0 11.5.1 HF6 11.5.0 HF6 11.4.1 HF6 11.4.0 HF9	SSL profiles
BIG-IP AFM	11.3.0 - 11.5.1	11.6.0 11.5.1 HF6 11.5.0 HF6 11.4.1 HF6 11.4.0 HF9	SSL profiles
BIG-IP Analytics	11.0.0 - 11.5.1	11.6.0 11.5.1 HF6 11.5.0 HF6 11.4.1 HF6 11.4.0 HF9 11.2.1 HF13	SSL profiles
BIG-IP APM	11.0.0 - 11.5.1 10.1.0 - 10.2.4	11.6.0 11.5.1 HF6 11.5.0 HF6 11.4.1 HF6 11.4.0 HF9 11.2.1 HF13 10.2.4 HF10	SSL profiles
BIG-IP ASM	11.0.0 - 11.5.1 10.0.0 - 10.2.4	11.6.0 11.5.1 HF6 11.5.0 HF6 11.4.1 HF6 11.4.0 HF9 11.2.1 HF13 10.2.4 HF10	SSL profiles
BIG-IP Edge Gateway	11.0.0 - 11.3.0 10.1.0 - 10.2.4	11.2.1 HF13 10.2.4 HF10	SSL profiles
BIG-IP GTM*	None	11.0.0 - 11.6.0 10.0.0 - 10.2.4	None
BIG-IP Link Controller*	None	11.0.0 - 11.6.0 10.0.0 - 10.2.4	None
BIG-IP PEM	11.3.0 - 11.6.0	11.6.0 HF3 11.5.1 HF6 11.5.0 HF6 11.4.1 HF6 11.4.0 HF9	SSL profiles
BIG-IP PSM	11.0.0 - 11.4.1 10.0.0 - 10.2.4	11.4.1 HF6 11.4.0 HF9 11.2.1 HF13 10.2.4 HF10	SSL profiles
BIG-IP WebAccelerator	11.0.0 - 11.3.0 10.0.0 - 10.2.4	11.2.1 HF13 10.2.4 HF10	SSL profiles
BIG-IP WOM	11.0.0 - 11.3.0 10.0.0 - 10.2.4	11.4.1 HF6 11.4.0 HF9 11.2.1 HF13 10.2.4 HF10	SSL profiles
ARX	None	6.0.0 - 6.4.0	None
Enterprise Manager*	None	3.0.0 - 3.1.1 2.1.0 - 2.3.0	None
FirePass	None	7.0.0 6.0.0 - 6.1.0	None
BIG-IQ Cloud	4.0.0 - 4.4.0	None	REST API
BIG-IQ Device	4.2.0 - 4.4.0	None	REST API
BIG-IQ Security	4.0.0 - 4.4.0	None	REST API
LineRate	None	2.2.0 - 2.5.0 1.6.0 - 1.6.4	None

*The noted products contain vulnerable code but do not expose SSL profiles and are therefore not vulnerable.

Source: https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html

A10

A10 has yet to release a patch of affected hardware. This site will be updated as soon as that information is available.