Security Advisory

Published: February 17, 2016
Last Update: February 17, 2016

This security advisory addresses CVE-2015-7575, pertaining to TLS1.2 in non FIPS compliant versions of ACOS.


TLS 1.2 allows for the client and server to negotiate the hash algorithm they use. This was designed to allow the use of stronger hash functions, however it does allow for the use of the weaker MD5, which effectively weakens the authentication.

In the FIPS compliant versions of ACOS, this hash is specifically disabled; however the rest of the code is affected.

Although unlikely to exploit, if the vulnerability is exploited it can give the attacker one of two advantages. They may be able to forge a client certificate thus thwart certificate based client authentication. The second vulnerability would allow for key to be forged while using the server-key-exchange option.

This vulnerability requires the attacker is positioned on the network in a way allowing for the intercept of traffic and is very complex and difficult to exploit.

Affected Releases
Workarounds and Mitigations
Software Updates

Software updates resolving this potential vulnerability will be published at the following URL when available: click here
The following table summarizes update versions resolving all of the above CVEs.

Vulnerable Release Resolved Release
4.0.1 4.1.0
3.x 3.2.1
2.7.2-P7 2.7.2-P8
2.7.1-GR1 2.7.1-GR1-P1
2.8.2-P4 2.8.2-P5
Vulnerability Details

Affected Platforms: ADC, CGN, TPS
Affected Software Versions: 4.0.1, 3.x, 2.7.2-P7, 2.7.1-GR1, 2.8.2-P4

Vulnerability ID Vulnerability Description
Modification History
Revision Date Description
1.0 April 18, 2018

Created web page