CVE-2016-9244 F5 BIG-IP ASM Session Tickets Information Disclosure Vulnerability (TICKETBLEED) (K05121675)

A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. The vulnerability exists in the implementation of the TLS SessionTicket extension, that incorrectly pads a TLS Session ID, passed from the client, with data to make it 32-bits long.

Affected Versions:
BIG-IP ASM 12.0.0 - 12.1.2
BIG-IP ASM 11.4.0 - 11.6.1

A remote attacker may exploit this vulnerability to obtain Secure Sockets Layer (SSL) session IDs from other sessions. It is possible that other data from uninitialized memory may be returned as well.

Customers are advised to refer to K05121675 for updates pertaining to this vulnerability.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

K05121675