Earlier this month an OpenSSL vulnerability has been discovered by the researchers relies in BN_mod_sqrt() function . This function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameter.
This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th of March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). (CVE-2022-0778)
BIG-IP (control plane)
This issue affects the BIG-IP Configuration utility (port 443) only when configured in some non-default configurations. These configurations may include restricting access to the BIG-IP Configuration utility using client certificates or accessing the Configuration utility using password-less SSL client certificate authentication, this issue also affects the BIG-IP ConfigSync and iQuery listener (port 4353), when exposed, in all configurations.
BIG-IP (data plane)
This issue affects BIG-IP Client SSL only when configured to validate client certificates (when ‘Client Certificate’ is set to ‘require’ or ‘request’) and the client presents a maliciously crafted certificate, and Server SSL in all configurations if the target server presents a maliciously crafted certificate.
The RHEL installation may be vulnerable to a denial-of-service (DoS) attack.
F5 Product Development has assigned ID 1087201 and SDC-1779 (Traffix) to this vulnerability. This issue has been classified as CWE-835: Loop with Unreachable Exit Condition (‘Infinite Loop’).