f5 big-ip_access_policy_manager 信息暴露

CVE编号

CVE-2013-3587

利用情况

暂无

补丁情况

N/A

披露时间

2020-02-22

漏洞描述

The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
http://breachattack.com/
http://github.com/meldium/breach-mitigation-rails
http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407
http://slashdot.org/story/13/08/05/233216
http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf
http://www.kb.cert.org/vuls/id/987798
https://bugzilla.redhat.com/show_bug.cgi?id=995168
https://hackerone.com/reports/254895
https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a3430...
https://support.f5.com/csp/article/K14634
https://www.blackhat.com/us-13/briefings.html#Prado
https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	f5	arx	*	From (including) 5.0.0	Up to (including) 5.3.1
	运行在以下环境
	应用	f5	arx	*	From (including) 6.0.0	Up to (including) 6.4.0
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 10.1.0	Up to (including) 10.2.4
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 11.0.0	Up to (including) 11.6.1
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	*	From (including) 12.0.0	Up to (including) 12.1.2
	运行在以下环境
	应用	f5	big-ip_access_policy_manager	13.0.0	-
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	*	From (including) 11.3.0	Up to (including) 11.6.1
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	*	From (including) 12.0.0	Up to (including) 12.1.2
	运行在以下环境
	应用	f5	big-ip_advanced_firewall_manager	13.0.0	-
	运行在以下环境
	应用	f5	big-ip_analytics	*	From (including) 11.0.0	Up to (including) 11.6.1
	运行在以下环境
	应用	f5	big-ip_analytics	*	From (including) 12.0.0	Up to (including) 12.1.2
	运行在以下环境
	应用	f5	big-ip_analytics	13.0.0	-
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	*	From (including) 11.4.0	Up to (including) 11.6.1
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	*	From (including) 12.0.0	Up to (including) 12.1.2
	运行在以下环境
	应用	f5	big-ip_application_acceleration_manager	13.0.0	-
	运行在以下环境
	应用	f5	big-ip_application_security_manager	*	From (including) 10.0.0	Up to (including) 10.2.4
	运行在以下环境
	应用	f5	big-ip_application_security_manager	*	From (including) 11.0.0	Up to (including) 11.6.1
	运行在以下环境
	应用	f5	big-ip_application_security_manager	*	From (including) 12.0.0	Up to (including) 12.1.2
	运行在以下环境
	应用	f5	big-ip_application_security_manager	*	From (including) 9.2.0	Up to (including) 9.4.8
	运行在以下环境
	应用	f5	big-ip_application_security_manager	13.0.0	-
	运行在以下环境
	应用	f5	big-ip_edge_gateway	*	From (including) 10.1.0	Up to (including) 10.2.4
	运行在以下环境
	应用	f5	big-ip_edge_gateway	*	From (including) 11.0.0	Up to (including) 11.3.0
	运行在以下环境
	应用	f5	big-ip_link_controller	*	From (including) 10.0.0	Up to (including) 10.2.4
	运行在以下环境
	应用	f5	big-ip_link_controller	*	From (including) 11.0.0	Up to (including) 11.6.1
	运行在以下环境
	应用	f5	big-ip_link_controller	*	From (including) 12.0.0	Up to (including) 12.1.2
	运行在以下环境
	应用	f5	big-ip_link_controller	*	From (including) 9.2.2	Up to (including) 9.4.8
	运行在以下环境
	应用	f5	big-ip_link_controller	13.0.0	-
	运行在以下环境
	应用	f5	big-ip_local_traffic_manager	*	From (including) 10.0.0	Up to (including) 10.2.4
	运行在以下环境
	应用	f5	big-ip_local_traffic_manager	*	From (including) 11.0.0	Up to (including) 11.6.1
	运行在以下环境
	应用	f5	big-ip_local_traffic_manager	*	From (including) 12.0.0	Up to (including) 12.1.2
	运行在以下环境
	应用	f5	big-ip_local_traffic_manager	*	From (including) 9.0.0	Up to (including) 9.6.1
	运行在以下环境
应用	f5	big-ip_local_traffic_manager	13.0.0	-
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	*	From (including) 11.3.0	Up to (including) 11.6.1
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	*	From (including) 12.0.0	Up to (including) 12.1.2
运行在以下环境
应用	f5	big-ip_policy_enforcement_manager	13.0.0	-
运行在以下环境
应用	f5	big-ip_protocol_security_module	*	From (including) 10.0.0	Up to (including) 10.2.4
运行在以下环境
应用	f5	big-ip_protocol_security_module	*	From (including) 11.0.0	Up to (including) 11.4.1
运行在以下环境
应用	f5	big-ip_protocol_security_module	*	From (including) 9.4.5	Up to (including) 9.4.8
运行在以下环境
应用	f5	big-ip_wan_optimization_manager	*	From (including) 10.0.0	Up to (including) 10.2.4
运行在以下环境
应用	f5	big-ip_wan_optimization_manager	*	From (including) 11.0.0	Up to (including) 11.3.0
运行在以下环境
应用	f5	big-ip_webaccelerator	*	From (including) 10.0.0	Up to (including) 10.2.4
运行在以下环境
应用	f5	big-ip_webaccelerator	*	From (including) 11.0.0	Up to (including) 11.3.0
运行在以下环境
应用	f5	big-ip_webaccelerator	*	From (including) 9.4.0	Up to (including) 9.4.8
运行在以下环境
应用	f5	firepass	*	From (including) 6.0.0	Up to (including) 6.1.0
运行在以下环境
应用	f5	firepass	7.0.0	-

攻击路径网络
攻击复杂度高
权限要求无
影响范围未更改
用户交互无
可用性无
保密性高
完整性无

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CWE-ID 漏洞类型 CWE-200 信息暴露

正文

f5 big-ip_access_policy_manager 信息暴露

漏洞描述

解决建议

参考链接

受影响软件情况

相关阅读

IBM Jazz Reporting Service-Rational-CLM安全绕过管理任务执行漏洞

IBM Jazz Reporting Service up to 5.0.2/6.0.0 Report Builder 跨站脚本攻击

IBM InfoSphere Master Data Management up to 11.4.0.4 GDS 跨站脚本攻击

IBM Tivoli Federated Identity Manager up to 6.2.2 FP15 跨站脚本攻击

发表评论取消回复

还没有评论，来说两句吧...

目录[+]