For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jksingh_44237's avatar
jksingh_44237
Icon for Nimbostratus rankNimbostratus
Jan 04, 2010

The remote load balancer suffers from an information disclosure vulnerability at port 80 and 443

I am looking a solution for this issue.....   I have BIGIP (BIG-IP 9.3.1 Build 37.1)     Port http (tcp/80)   Synopsis :   The remote load balancer suffers from an i...
dev
devops
iControl
Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Jan 04, 2010

 

Hi. Wrong forum for this question... You should be asking over in 'Advanced Design & Config', or maybe the iRule forums.

 

 

However

 

 

I'm not sure I ever agree with anyone who claims that letting users know your internal IP's and ports is a security problem... I tend to adhere more to the view that security by obscurity is no security at all. If your site is vulnerable to people knowing the backend IP's, then you have a bigger problem elsewhere rather than in the fact your cookies aren't opaque.

 

 

I tend to lump this 'vulnerability' in the same vein as running a secure webserver on port 443 is vulnerable because people can find it easier...

 

 

About the only real 'vulnerability' I could see from this is that over time someone might be able to determine how many backend servers you have... Which given they don't know how big they are doesn't tell them a lot other than how effiicient your code is over time.

 

 

If you're really feeling bothered there's an iRule available to encrypt and decrypt cookies for you. Checkout the codeshare.

 

 

regards

 

Hamish