阿里云漏洞库

漏洞描述

The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
http://breachattack.com/
http://github.com/meldium/breach-mitigation-rails
http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407
http://slashdot.org/story/13/08/05/233216
http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf
http://www.kb.cert.org/vuls/id/987798
https://bugzilla.redhat.com/show_bug.cgi?id=995168
https://hackerone.com/reports/254895
https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a3430...
https://support.f5.com/csp/article/K14634
https://www.blackhat.com/us-13/briefings.html#Prado
https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	f5	arx	*	From (including) 5.0.0	Up to (including) 5.3.1
	运行在以下环境
	应用	f5	arx	*	From (including) 6.0.0	Up to (including) 6.4.0
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 10.1.0	Up to (including) 10.2.4
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 11.0.0	Up to (including) 11.6.1
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 12.0.0	Up to (including) 12.1.2
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	13.0.0	-
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	*	From (including) 11.3.0	Up to (including) 11.6.1
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	*	From (including) 12.0.0	Up to (including) 12.1.2
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	13.0.0	-
	运行在以下环境
	应用	f5	big-ip_analytics	*	From (including) 11.0.0	Up to (including) 11.6.1
	运行在以下环境
	应用	f5	big-ip_analytics	*	From (including) 12.0.0	Up to (including) 12.1.2
	运行在以下环境
	应用	f5	big-ip_analytics	13.0.0	-
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	*	From (including) 11.4.0	Up to (including) 11.6.1
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	*	From (including) 12.0.0	Up to (including) 12.1.2
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	13.0.0	-
	运行在以下环境
	应用	f5	big-ip_application_security_manager	*	From (including) 10.0.0	Up to (including) 10.2.4
	运行在以下环境
	应用	f5	big-ip_application_security_manager	*	From (including) 11.0.0	Up to (including) 11.6.1
	运行在以下环境
	应用	f5	big-ip_application_security_manager	*	From (including) 12.0.0	Up to (including) 12.1.2
	运行在以下环境
	应用	f5	big-ip_application_security_manager	*	From (including) 9.2.0	Up to (including) 9.4.8
	运行在以下环境
	应用	f5	big-ip_application_security_manager	13.0.0	-
	运行在以下环境
	应用	f5	big-ip_edge_gateway	*	From (including) 10.1.0	Up to (including) 10.2.4
	运行在以下环境
	应用	f5	big-ip_edge_gateway	*	From (including) 11.0.0	Up to (including) 11.3.0
	运行在以下环境
	应用	f5	big-ip_link_controller	*	From (including) 10.0.0	Up to (including) 10.2.4
	运行在以下环境
	应用	f5	big-ip_link_controller	*	From (including) 11.0.0	Up to (including) 11.6.1
	运行在以下环境
	应用	f5	big-ip_link_controller	*	From (including) 12.0.0	Up to (including) 12.1.2
	运行在以下环境
	应用	f5	big-ip_link_controller	*	From (including) 9.2.2	Up to (including) 9.4.8
	运行在以下环境
	应用	f5	big-ip_link_controller	13.0.0	-
	运行在以下环境
	应用	f5	big-ip_local_traffic_manager	*	From (including) 10.0.0	Up to (including) 10.2.4
	运行在以下环境
	应用	f5	big-ip_local_traffic_manager	*	From (including) 11.0.0	Up to (including) 11.6.1
	运行在以下环境
	应用	f5	big-ip_local_traffic_manager	*	From (including) 12.0.0	Up to (including) 12.1.2
	运行在以下环境
	应用	f5	big-ip_local_traffic_manager	*	From (including) 9.0.0	Up to (including) 9.6.1
	运行在以下环境
应用	f5	big-ip_local_traffic_manager	13.0.0	-
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	*	From (including) 11.3.0	Up to (including) 11.6.1
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	*	From (including) 12.0.0	Up to (including) 12.1.2
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	13.0.0	-
运行在以下环境
应用	f5	big-ip_protocol_security_module	*	From (including) 10.0.0	Up to (including) 10.2.4
运行在以下环境
应用	f5	big-ip_protocol_security_module	*	From (including) 11.0.0	Up to (including) 11.4.1
运行在以下环境
应用	f5	big-ip_protocol_security_module	*	From (including) 9.4.5	Up to (including) 9.4.8
运行在以下环境
应用	f5	big-ip_wan_optimization_manager	*	From (including) 10.0.0	Up to (including) 10.2.4
运行在以下环境
应用	f5	big-ip_wan_optimization_manager	*	From (including) 11.0.0	Up to (including) 11.3.0
运行在以下环境
应用	f5	big-ip_webaccelerator	*	From (including) 10.0.0	Up to (including) 10.2.4
运行在以下环境
应用	f5	big-ip_webaccelerator	*	From (including) 11.0.0	Up to (including) 11.3.0
运行在以下环境
应用	f5	big-ip_webaccelerator	*	From (including) 9.4.0	Up to (including) 9.4.8
运行在以下环境
应用	f5	firepass	*	From (including) 6.0.0	Up to (including) 6.1.0
运行在以下环境
应用	f5	firepass	7.0.0	-

攻击路径

本地
攻击复杂度

困难
权限要求

普通权限
影响范围

有限影响
EXP成熟度

未验证
补丁情况

官方补丁
数据保密性

无影响
数据完整性

N/A
服务器危害

无影响
全网数量

N/A

CWE-ID	漏洞类型
CWE-200	信息暴露

中危 f5 big-ip_access_policy_manager 信息暴露

漏洞描述

解决建议

参考链接

受影响软件情况