{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2017-002.pdf"
    },
    "title": "Ticketbleed Vulnerability Affecting F5 BIG-IP",
    "serial_number": "2017-002",
    "publish_date": "09-02-2017 15:39:00",
    "description": "A vulnerability called Ticketbleed in F5 BIG-IP devices (CVE-2016-9244) could allow an unauthenticated, remote attacker to obtain sensitive information from memory if the non-default Session Tickets option is enabled for a Client SSL profile.",
    "url_title": "2017-002",
    "content_markdown": "---\ntitle: 'Ticketbleed Vulnerability Affecting F5 BIG-IP'\nversion: '1.0'\nnumber: '2017-002'\nfontsize: '11pt'\n---\n\n_History:_\n\n* _09/01/2017 --- v1.0 -- Initial publication_\n\n\n# Summary\n\nA vulnerability in F5 BIG-IP devices (CVE-2016-9244 [1]) could allow an unauthenticated, remote attacker to obtain sensitive information from memory if the non-default _Session Tickets_ option is enabled for a Client SSL profile.\n\nThe vulnerability allows the attacker to retrieve up to 31 bytes of uninitialized memory at a time. This memory can potentially contain key material or sensitive data from other connections like Secure Sockets Layer (SSL) session IDs.\n\nThe vulnerability is called **Ticketbleed** [2], and F5 Product Development has assigned ID 596340 (BIG-IP) to this vulnerability [3].\n\n\n# Products Affected\n\nThis vulnerability affects BIG-IP virtual server component on several F5 BIG-IP products.\n\nThe following versions of the BIG IP products are affected by the vulnerability described in this document:\n\n* versions `12.0.0` to `12.1.2` and `11.4.0` to `11.6.1` of the BIG-IP LTM, BIG IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM, BIG-IP ASM, BIG-IP Link Controller, and BIG-IP PEM\n* versions `11.4.0` to `11.6.1` of the BIG-IP GTM\n* versions `11.4.0` to `11.4.1` of the BIG-IP PSM\n\n# Recommendations\n\nVersions `11.4.0` to `11.6.1` of the affected products (except BIG-IP PSM) can be upgraded to patched version `11.6.1 HF2`. For affected products using versions `12.0.0` to `12.1.2`, no patched version currently exists.\n\nA workaround is to disable the _Session Ticket_ option on the affected Client SSL profile. To do so, perform the following procedure:\n\n* Log in to the _Configuration_ utility.\n* Navigate to **Local Traffic** > **Profiles** > **SSL** > **Client**.\n* For the **Configuration** option, select **Advanced**.\n* Clear the **Session Ticket** check box.\n* Click **Update**.\n\n# References\n\n[1] <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9244>\n\n[2] <https://filippo.io/Ticketbleed/>\n\n[3] <https://support.f5.com/csp/article/K05121675>\n",
    "content_html": "<p><em>History:</em></p><ul><li><em>09/01/2017 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>A vulnerability in F5 BIG-IP devices (CVE-2016-9244 [1]) could allow an unauthenticated, remote attacker to obtain sensitive information from memory if the non-default <em>Session Tickets</em> option is enabled for a Client SSL profile.</p><p>The vulnerability allows the attacker to retrieve up to 31 bytes of uninitialized memory at a time. This memory can potentially contain key material or sensitive data from other connections like Secure Sockets Layer (SSL) session IDs.</p><p>The vulnerability is called <strong>Ticketbleed</strong> [2], and F5 Product Development has assigned ID 596340 (BIG-IP) to this vulnerability [3].</p><h2 id=\"products-affected\">Products Affected</h2><p>This vulnerability affects BIG-IP virtual server component on several F5 BIG-IP products.</p><p>The following versions of the BIG IP products are affected by the vulnerability described in this document:</p><ul><li>versions <code>12.0.0</code> to <code>12.1.2</code> and <code>11.4.0</code> to <code>11.6.1</code> of the BIG-IP LTM, BIG IP AAM, BIG-IP AFM, BIG-IP Analytics, BIG-IP APM, BIG-IP ASM, BIG-IP Link Controller, and BIG-IP PEM</li><li>versions <code>11.4.0</code> to <code>11.6.1</code> of the BIG-IP GTM</li><li>versions <code>11.4.0</code> to <code>11.4.1</code> of the BIG-IP PSM</li></ul><h2 id=\"recommendations\">Recommendations</h2><p>Versions <code>11.4.0</code> to <code>11.6.1</code> of the affected products (except BIG-IP PSM) can be upgraded to patched version <code>11.6.1 HF2</code>. For affected products using versions <code>12.0.0</code> to <code>12.1.2</code>, no patched version currently exists.</p><p>A workaround is to disable the <em>Session Ticket</em> option on the affected Client SSL profile. To do so, perform the following procedure:</p><ul><li>Log in to the <em>Configuration</em> utility.</li><li>Navigate to <strong>Local Traffic</strong> &gt; <strong>Profiles</strong> &gt; <strong>SSL</strong> &gt; <strong>Client</strong>.</li><li>For the <strong>Configuration</strong> option, select <strong>Advanced</strong>.</li><li>Clear the <strong>Session Ticket</strong> check box.</li><li>Click <strong>Update</strong>.</li></ul><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9244\">https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9244</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://filippo.io/Ticketbleed/\">https://filippo.io/Ticketbleed/</a></p><p>[3] <a rel=\"noopener\" target=\"_blank\" href=\"https://support.f5.com/csp/article/K05121675\">https://support.f5.com/csp/article/K05121675</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}