Vulnerability CVE-2014-8730 - CERT Civis.Net

Vulnerability Name:

CVE-2014-8730 (CCN-99216)

Assigned:

2014-12-09

Published:

2014-12-09

Updated:

2017-01-03

Summary:

The SSL profiles component in F5 BIG-IP LTM, APM, and ASM 10.0.0 through 10.2.4 and 11.0.0 through 11.5.1, AAM 11.4.0 through 11.5.1, AFM 11.3.0 through 11.5.1, Analytics 11.0.0 through 11.5.1, Edge Gateway, WebAccelerator, and WOM 10.1.0 through 10.2.4 and 11.0.0 through 11.3.0, PEM 11.3.0 through 11.6.0, and PSM 10.0.0 through 10.2.4 and 11.0.0 through 11.4.1 and BIG-IQ Cloud and Security 4.0.0 through 4.4.0 and Device 4.2.0 through 4.4.0, when using TLS 1.x before TLS 1.2, does not properly check CBC padding bytes when terminating connections, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a variant of CVE-2014-3566 (aka POODLE).
Note: the scope of this identifier is limited to the F5 implementation only. Other vulnerable implementations should receive their own CVE ID, since this is not a vulnerability within the design of TLS 1.x itself.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): None Availibility (A): None

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2014-8730

Source: HP
Type: UNKNOWN
HPSBPV03516

Source: SECUNIA
Type: UNKNOWN
62167

Source: SECUNIA
Type: UNKNOWN
62224

Source: SECUNIA
Type: UNKNOWN
62388

Source: CCN
Type: Cisco Security Notice
SSL-TLS Implementations Cipher Block Chaining Padding Information Disclosure Vulnerability

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21693271

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21693337

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21693495

Source: CCN
Type: A10 Security Advisory
CVE-2014-8730 published on December 8th, 2014

Source: MLIST
Type: UNKNOWN
[oss-security] 20141209 Re: CVE question: Return of POODLE

Source: CCN
Type: BID-71549
Multiple F5 Products CVE-2014-8730 Man In The Middle Information Disclosure Vulnerability

Source: CCN
Type: Red Hat Bugzilla Bug 1171965
CVE-2014-8730 TLS: incorrect check of padding bytes when using CBC cipher suites

Source: CONFIRM
Type: Vendor Advisory
https://devcentral.f5.com/articles/cve-2014-8730-padding-issue-8151

Source: XF
Type: UNKNOWN
tls-cve20148730-info-disc(99216)

Source: CONFIRM
Type: UNKNOWN
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04819635

Source: CCN
Type: F5 Security Advisory sol15882
TLS1.x padding vulnerability CVE-2014-8730

Source: CONFIRM
Type: Vendor Advisory
https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html

Source: CCN
Type: KEMP Technologies Support Center
POODLE and TLS - CVE-2014-8730

Source: CONFIRM
Type: UNKNOWN
https://support.lenovo.com/product_security/poodle

Source: CONFIRM
Type: UNKNOWN
https://support.lenovo.com/us/en/product_security/poodle

Source: CCN
Type: IBM Security Bulletin 736107 (1/10 Gb Uplink Ethernet Switch Module)
IBM BladeCenter Switch Modules are affected by information disclosure vulnerability (CVE-2014-8730)

Source: CCN
Type: IBM Security Bulletin 737135 (Flex System Fabric EN4093/EN4093R 10Gb Scalable Switch firmware)
IBM Flex System switch firmware products are affected by information disclosure vulnerability (CVE-2014-8730)

Source: CCN
Type: IBM Security Bulletin 737151 (RackSwitch G8000)
IBM RackSwitch firmware products are affected by information disclosure vulnerability (CVE-2014-8730)

Source: MISC
Type: UNKNOWN
https://www.imperialviolet.org/2014/12/08/poodleagain.html

Vulnerable Configuration:

Configuration 1:

cpe:/a:f5:big-ip_local_traffic_manager:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_local_traffic_manager:10.0.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_local_traffic_manager:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_local_traffic_manager:10.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_local_traffic_manager:10.2.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_local_traffic_manager:10.2.2:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_local_traffic_manager:10.2.3:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_local_traffic_manager:10.2.4:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_local_traffic_manager:11.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_local_traffic_manager:11.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_local_traffic_manager:11.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_local_traffic_manager:11.2.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_local_traffic_manager:11.3.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_local_traffic_manager:11.4.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_local_traffic_manager:11.4.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_local_traffic_manager:11.5.1:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:f5:big-ip_access_policy_manager:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:10.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:10.2.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:10.2.2:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:10.2.3:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:10.2.4:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:11.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:11.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:11.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:11.2.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:11.3.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:11.4.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:11.5.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_access_policy_manager:11.5.1:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:f5:big-ip_policy_enforcement_manager:11.3.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_policy_enforcement_manager:11.4.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_policy_enforcement_manager:11.4.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_policy_enforcement_manager:11.5.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_policy_enforcement_manager:11.5.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_policy_enforcement_manager:11.6.0:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:f5:big-ip_protocol_security_module:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_protocol_security_module:10.0.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_protocol_security_module:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_protocol_security_module:10.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_protocol_security_module:10.2.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_protocol_security_module:10.2.2:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_protocol_security_module:10.2.3:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_protocol_security_module:10.2.4:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_protocol_security_module:11.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_protocol_security_module:11.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_protocol_security_module:11.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_protocol_security_module:11.2.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_protocol_security_module:11.3.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_protocol_security_module:11.4.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_protocol_security_module:11.4.1:*:*:*:*:*:*:*

Configuration 5:

cpe:/a:f5:big-ip_application_acceleration_manager:11.4.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_acceleration_manager:11.4.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_acceleration_manager:11.5.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_acceleration_manager:11.5.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_acceleration_manager:11.6.0:*:*:*:*:*:*:*

Configuration 6:

cpe:/a:f5:big-ip_webaccelerator:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_webaccelerator:10.0.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_webaccelerator:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_webaccelerator:10.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_webaccelerator:10.2.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_webaccelerator:10.2.2:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_webaccelerator:10.2.3:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_webaccelerator:10.2.4:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_webaccelerator:11.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_webaccelerator:11.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_webaccelerator:11.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_webaccelerator:11.2.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_webaccelerator:11.3.0:*:*:*:*:*:*:*

Configuration 7:

cpe:/a:f5:big-iq_security:4.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-iq_security:4.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-iq_security:4.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-iq_security:4.3.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-iq_security:4.4.0:*:*:*:*:*:*:*

Configuration 8:

cpe:/a:f5:big-ip_edge_gateway:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_edge_gateway:10.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_edge_gateway:10.2.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_edge_gateway:10.2.2:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_edge_gateway:10.2.3:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_edge_gateway:10.2.4:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_edge_gateway:11.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_edge_gateway:11.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_edge_gateway:11.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_edge_gateway:11.2.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_edge_gateway:11.3.0:*:*:*:*:*:*:*

Configuration 9:

cpe:/a:f5:big-iq_device:4.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-iq_device:4.3.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-iq_device:4.4.0:*:*:*:*:*:*:*

Configuration 10:

cpe:/a:f5:big-ip_application_security_manager:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_security_manager:10.0.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_security_manager:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_security_manager:10.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_security_manager:10.2.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_security_manager:10.2.2:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_security_manager:10.2.3:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_security_manager:10.2.4:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_security_manager:11.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_security_manager:11.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_security_manager:11.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_security_manager:11.2.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_security_manager:11.3.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_security_manager:11.4.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_security_manager:11.4.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_application_security_manager:11.5.1:*:*:*:*:*:*:*

Configuration 11:

cpe:/a:f5:big-ip_advanced_firewall_manager:11.3.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_advanced_firewall_manager:11.4.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_advanced_firewall_manager:11.4.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_advanced_firewall_manager:11.5.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_advanced_firewall_manager:11.5.1:*:*:*:*:*:*:*

Configuration 12:

cpe:/a:f5:big-ip_analytics:11.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_analytics:11.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_analytics:11.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_analytics:11.2.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_analytics:11.3.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_analytics:11.4.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_analytics:11.4.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_analytics:11.5.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_analytics:11.5.1:*:*:*:*:*:*:*

Configuration 13:

cpe:/a:f5:big-iq_cloud:4.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-iq_cloud:4.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-iq_cloud:4.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-iq_cloud:4.3.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-iq_cloud:4.4.0:*:*:*:*:*:*:*

Configuration 14:

cpe:/a:f5:big-ip_wan_optimization_manager:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_wan_optimization_manager:10.0.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_wan_optimization_manager:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_wan_optimization_manager:10.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_wan_optimization_manager:10.2.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_wan_optimization_manager:10.2.2:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_wan_optimization_manager:10.2.3:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_wan_optimization_manager:10.2.4:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_wan_optimization_manager:11.0.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_wan_optimization_manager:11.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_wan_optimization_manager:11.2.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_wan_optimization_manager:11.2.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_wan_optimization_manager:11.3.0:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:f5:big-ip_access_policy_manager:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_analytics:11.5.1:*:*:*:*:*:*:*

OR cpe:/a:f5:big-ip_analytics:11.0.0:*:*:*:*:*:*:*

Denotes that component is vulnerable