F5 Networks BIG-IP : OpenSSL vulnerability (K23196136) (DROWN)
Medium Nessus Plugin ID 100180
SynopsisThe remote device is missing a vendor-supplied security patch.
DescriptionThe SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a 'DROWN' attack. (CVE-2016-0800)
SolutionUpgrade to one of the non-vulnerable versions listed in the F5 Solution K23196136.