Published: December 3, 2015
Last Update: December 3, 2015
On December 3rd, 2015, OpenSSL release a security advisory with a number of security vulnerabilities across multiple version of OpenSSL. Out of those ACOS is only affected by CVE-2015-3195 and this advisory addresses the impact from it.
If a specially crafted certificate is uploaded to ACOS device it is theoretically possible to trigger a bug in the way X.509 date is handled, which may result in a memory leak.
In order to upload certificates to the device the user already needs to have higher level of privilege which overall implies they would have access to the data leaked regardless of the use of this bug.
Workarounds and Mitigations
Software updates resolving this potential vulnerability will be published at the following URL when available: click here
Since this is a minor vulnerability, the patch will be included in the next scheduled software release.
Affected Platforms: ADC, CGN, TPS
Affected Software Versions: 4.0.x, 3.1.x, 2.7.x, 2.8.x