CRIME vulnerability via the SPDY protocol CVE-2012-4930

The SPDY protocol 3, and earlier, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data. This allows man-in-the-middle attackers to obtain plain text HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header. The SPDY protocol 3, and earlier, is used in Mozilla Firefox, Google Chrome, and other products. (CVE-2012-4930)

Impact

Connections to virtual servers configured with the SPDY profile may be at risk.

If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in theVersions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.

To mitigate this vulnerability, you can either disable SPDY compression or use an HTTP/2.0 profile. To do so, perform one of the following workarounds:

Using an HTTP/2 profile (12.0.0)

Impact of action: Performing the recommended workaround should not have a negative impact on your system.

If you are using BIG-IP 12.0.0 and later, you can configure the BIG-IP system to use an HTTP/2.0 profile. For more information, refer to the Managing HTTP Traffic with the HTTP2 Profile section of the BIG-IP Local Traffic Manager: Implementations guide.

Note: For information about how to locate F5 product guides, refer to K12453464: Finding product documentation on AskF5.

Note: Although the HTTP/2.0 profile was introduced in 11.6.0, it is considered experimental and not intended for use in production.

Disabling SPDY compression (11.2.0 - 11.6.0)

Impact of action: Performing the recommended workaround will cause HTTP compression to be performed by hardware instead or software, resulting in increased CPU usage.

SPDY compression is done asymmetrically. To mitigate this vulnerability for client requests, you should update the client browser to a patched version that has SPDY compression disabled. For responses from BIG-IP to the client, if the previous table lists a version in the Versions known to be not vulnerable column, you can eliminate this vulnerability by upgrading to the listed version or, if you are using BIG-IP 11.4.0 and later, you can configure theCompression Levelto0 for all SPDY profiles in use.

• K14054: CRIME vulnerability via TLS 1.2 protocol CVE-2012-4929
• K9970: Subscribing to email notifications regarding F5 products
• K9957: Creating a custom RSS feed to view new and updated documents
• K4602: Overview of the F5 security vulnerability response policy