For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jksingh_44237's avatar
jksingh_44237
Icon for Nimbostratus rankNimbostratus
Jan 04, 2010

The remote load balancer suffers from an information disclosure vulnerability at port 80 and 443

I am looking a solution for this issue.....   I have BIGIP (BIG-IP 9.3.1 Build 37.1)     Port http (tcp/80)   Synopsis :   The remote load balancer suffers from an i...
dev
devops
iControl
Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Jan 05, 2010
More thoughts...

 

 

There is also the possibility that someone could alter the information in the cookie to deliberately target a particular backend server without going through the correct load-balancing sequence for a user without a current session...

 

 

Which begs a question...

 

 

When the F5 receives a cookie for the poolmember, is it validated against the configured poolmembers? Or is it just used as it is? I'm raising a case on our F5 support contract to verify what happens here because it has implications on some work we're doing here too...

 

 

(I'm not sure if could be validated in a fast & scalable way. Because an iRule can over-ride the pool & poolmember being used [and more questions arise from this]. Unless the BigIP keeps a list of all pools and poolmembers it's ever used... But I could surmise forever on this one. Hopefully we can get a definitive answer - It's possible SOL9815 answers this already, but in a bit of a round-about manner).

 

 

Of course this would be all moot if the cookie value was opaque... (i.e. a key into a hash table that had the information in it)... But that isn't as scalable of course. Although is in theory safer than either un-encrypted or even encrypted cookies.