SSL/TLS BREACH vulnerability CVE-2013-3587

2013-08-23T03:10:00
ID F5:K14634
Type f5
Reporter f5
Modified 2017-08-15T21:50:00

Description

F5 Product Development has assigned ID 427375 (BIG-IP and Enterprise Manager), ID 428152 (FirePass), and ID 428241 (ARX) to this vulnerability.

To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:

Product| Versions known to be vulnerable| Versions known to be not vulnerable| Vulnerable component or feature
---|---|---|---
BIG-IP LTM| 13.0.0
12.0.0 - 12.1.2
11.0.0 - 11.6.1
10.0.0 - 10.2.4
9.0.0 - 9.6.1| None
| SSL virtual servers
BIG-IP AAM| 13.0.0
12.0.0 - 12.1.2
11.4.0 - 11.6.1| None| SSL virtual servers
BIG-IP AFM| 13.0.0
12.0.0 - 12.1.2
11.3.0 - 11.6.1| None| SSL virtual servers
BIG-IP Analytics| 13.0.0
12.0.0 - 12.1.2
11.0.0 - 11.6.1| None| SSL virtual servers
BIG-IP APM| 13.0.0
12.0.0 - 12.1.2
11.0.0 - 11.6.1
10.1.0 - 10.2.4| None| SSL virtual servers
BIG-IP ASM| 13.0.0
12.0.0 - 12.1.2
11.0.0 - 11.6.1
10.0.0 - 10.2.4
9.2.0 - 9.4.8| None| SSL virtual servers
BIG-IP DNS| None| 13.0.0
12.0.0 - 12.1.2| None
BIG-IP Edge Gateway| 11.0.0 - 11.3.0
10.1.0 - 10.2.4| None| SSL virtual servers
BIG-IP GTM| None| 11.0.0 - 11.6.1
10.0.0 - 10.2.4
9.2.2 - 9.4.8| None
BIG-IP Link Controller| 13.0.0
12.0.0 - 12.1.2
11.0.0 - 11.6.1
10.0.0 - 10.2.4
9.2.2 - 9.4.8| None| SSL virtual servers
BIG-IP PEM| 13.0.0
12.0.0 - 12.1.2
11.3.0 - 11.6.1| None| SSL virtual servers
BIG-IP PSM| 11.0.0 - 11.4.1
10.0.0 - 10.2.4
9.4.5 - 9.4.8| None| SSL virtual servers
BIG-IP WebAccelerator| 11.0.0 - 11.3.0
10.0.0 - 10.2.4
9.4.0 - 9.4.8| None| SSL virtual servers
BIG-IP WOM| 11.0.0 - 11.3.0
10.0.0 - 10.2.4| None| SSL virtual servers
ARX| 6.0.0 - 6.4.0
5.0.0 - 5.3.1| None| ARX Manager GUI
Enterprise Manager| None| 3.0.0 - 3.1.1
2.0.0 - 2.3.0
1.6.0 - 1.8.0| None
FirePass| 7.0.0
6.0.0 - 6.1.0| None| Web services
BIG-IQ Cloud| None| 4.0.0 - 4.3.0| None
BIG-IQ Device| None| 4.2.0 - 4.3.0| None
BIG-IQ Security| None| 4.0.0 - 4.3.0| None

To mitigate this vulnerability, you can disable HTTP compression, or only enable HTTP compression for static content. For information about configuring HTTP compression, refer to the product guides for your specific product and version.

Impact of action: Slower page load times occur for dynamic content.

You can also mitigate this vulnerability by disabling HTTP compression when the Referer header is missing or does not show your site's domain name. An attacker must inject requests from a malicious or hijacked site and the Referer header would display this other site's domain name. To selectively disable compression based on the Referer header, you can use an iRule similar to one of the following examples depending on whether your BIG-IP system is performing HTTP compression:

Impact of action: The impact of the suggested mitigation will depend on the specific environment. F5 recommends testing any such changes during a maintenance window with consideration to the possible impact on your environment.

Mitigation when the BIG-IP system performs SSL offloading and HTTP compression offloading

Note: when using the COMPRESS command, you must set the HTTP profile Compression setting to Selective (9.x - 10.x) or the HTTP compression profile Selective Compression setting to enabled (11.x - 13.x).

when HTTP_REQUEST {
if {"[HTTP::header value Referer]" contains "www.example.com"} {
COMPRESS::enable
} else {
COMPRESS::disable
}
}

Mitigation when the BIG-IP system performs SSL offloading and pool members perform HTTP compression

when HTTP_REQUEST {
if {!("[HTTP::header value Referer]" contains "www.example.com")} {
HTTP::header remove Accept-Encoding
}
}