For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

jksingh_44237's avatar
jksingh_44237
Icon for Nimbostratus rankNimbostratus
Jan 04, 2010

The remote load balancer suffers from an information disclosure vulnerability at port 80 and 443

I am looking a solution for this issue.....   I have BIGIP (BIG-IP 9.3.1 Build 37.1)     Port http (tcp/80)   Synopsis :   The remote load balancer suffers from an i...
dev
devops
iControl
Hamish's avatar
Hamish
Icon for Cirrocumulus rankCirrocumulus
Jan 05, 2010
I got an answer from F5...

 

 

Looks like the un-encrypted cookie is safe IF you're not performing 'Match Across Pools' or match across services (Or VS) for persistence... if you are, then the rules change somewhat.

 

 

Match across service or match across VS will let an attacker alter the port specified by the poolmember. Match across pools is more open. The attacker can specify any poolmember they like (I'm paraphrasing what F5 told me).

 

 

Hmm... Inherently unsafe in certain situations... (i.e. your secure website can be compromised by an insecure config on a non-secure VS). I've requested a CR to change the default behaviour to encrypting all persistence cookies and a SOL note to ensure people know about it...

 

 

H