Security Advisory

On January 8th, 2015, the OpenSSL Project announced a patch release addressing a number of low-level and a couple of moderate-level vulnerabilities. The patches cover the following CVEs:

• CVE-2014-3571 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3571)
• CVE-2015-0206 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0206)
• CVE-2014-3569 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3569)
• CVE-2014-3572 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3572)
• CVE-2015-0204 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204)
• CVE-2015-0205 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0205)
• CVE-2014-8275 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8275)
• CVE-2014-3570 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3570)

This document is a combined response of A10 Networks to the aforementioned vulnerabilities.

Despite the fact that CVE-2014-3571 and CVE-2015-0206 are rated with “moderate” level of severity by the Open SSL project, they do not appear to be an issue for A10 appliances and software. Both of those vulnerabilities affect DTLS and currently A10 does not have any software using it.

The following CVEs are low severity, do not pose an immediate threat to the devices and will be resolved in the next regular software release:

• CVE-2014-3569
• CVE-2014-3572
• CVE-2015-0204
• CVE-2014-8275
• CVE-2014-3570

¹CVE-2014-3569, CVE-2014-0204 and CVE-2014-0205 were originally published on 12/24/2014, 11/03/2014 and 09/28/2014 respectively

CVE-2015-0205 is not an issue for ACOS since at present the software does not support certificate authentication.

A10 Networks recommends upgrading to the respective patches when available. The table below summarizes the software releases resolving that issue.

Affected Platforms: ADC
Affected Software Versions: ADC 2.6/2.7/4.0, TPS 3.0.0