F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

JG's avatar
JG
Icon for Cumulonimbus rankCumulonimbus
Jan 27, 2014

sol14634: SSL / TLS BREACH vulnerability - CVE-2013-3587: When is this going to be fixed?

We disabled compression as a result of the vulnerability as described in "sol14634: SSL / TLS BREACH vulnerability - CVE-2013-3587", last August.   I wonder if the issue has been fixed, and if not...
application delivery
design
management
performance
security
TMOS
boneyard's avatar
boneyard
Icon for MVP rankMVP
Jul 08, 2015

looking at it again the attack isn't that simple. do the three requirements even apply to exchange?

 

static content can still be compressed apparently, the iapp only compresses some of the content, is that only static perhaps?

 

i still don't feel F5 is the one to "fix" this. if you feel differently why not open a support ticket and explain them how to do that.

 

if the site of the discoverers is correct then adding random amounts of data to responses is also a workaround. that should be possible with an iRule, so in that way you even have a mitigation available with a BIG-IP.