F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

JG's avatar
JG
Icon for Cumulonimbus rankCumulonimbus
Jan 27, 2014

sol14634: SSL / TLS BREACH vulnerability - CVE-2013-3587: When is this going to be fixed?

We disabled compression as a result of the vulnerability as described in "sol14634: SSL / TLS BREACH vulnerability - CVE-2013-3587", last August.

 

I wonder if the issue has been fixed, and if not, how much more time it is going to need for the issue to be resolved.

 

We have paid a lot for the licence to use this feature, and need to justify further spend on it.

 

application delivery
design
management
performance
security
TMOS

4 Replies

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Feb 01, 2014

    this isn't really something for F5 the solve, it is a general issue with SSL and unless someone comes up with something smart it might be an issue for a long time. check http://breachattack.com/ for other possible solutions.

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jul 08, 2015

    looking at it again the attack isn't that simple. do the three requirements even apply to exchange?

     

    static content can still be compressed apparently, the iapp only compresses some of the content, is that only static perhaps?

     

    i still don't feel F5 is the one to "fix" this. if you feel differently why not open a support ticket and explain them how to do that.

     

    if the site of the discoverers is correct then adding random amounts of data to responses is also a workaround. that should be possible with an iRule, so in that way you even have a mitigation available with a BIG-IP.