Vulnerability Description
The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle attackers to obtain plaintext secret values by observing length differences during a series of guesses in which a string in an HTTP request URL potentially matches an unknown string in an HTTP response body, aka a "BREACH" attack, a different issue than CVE-2012-4929.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| F5 | Big-Ip Access Policy Manager | >= 10.1.0, <= 10.2.4 |
| F5 | Big-Ip Advanced Firewall Manager | >= 11.3.0, <= 11.6.1 |
| F5 | Big-Ip Analytics | >= 11.0.0, <= 11.6.1 |
| F5 | Big-Ip Application Acceleration Manager | >= 11.4.0, <= 11.6.1 |
| F5 | Big-Ip Application Security Manager | >= 9.2.0, <= 9.4.8 |
| F5 | Big-Ip Edge Gateway | >= 10.1.0, <= 10.2.4 |
| F5 | Big-Ip Link Controller | >= 9.2.2, <= 9.4.8 |
| F5 | Big-Ip Local Traffic Manager | >= 9.0.0, <= 9.6.1 |
| F5 | Big-Ip Policy Enforcement Manager | >= 11.3.0, <= 11.6.1 |
| F5 | Big-Ip Protocol Security Module | >= 9.4.5, <= 9.4.8 |
| F5 | Big-Ip Wan Optimization Manager | >= 10.0.0, <= 10.2.4 |
| F5 | Big-Ip Webaccelerator | >= 9.4.0, <= 9.4.8 |
| F5 | Firepass | >= 6.0.0, <= 6.1.0 |
| F5 | Arx | >= 5.0.0, <= 5.3.1 |
Related Weaknesses (CWE)
References
- http://breachattack.com/Third Party Advisory
- http://github.com/meldium/breach-mitigation-railsThird Party Advisory
- http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407ExploitThird Party Advisory
- http://slashdot.org/story/13/08/05/233216Third Party Advisory
- http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdfThird Party Advisory
- http://www.kb.cert.org/vuls/id/987798Third Party AdvisoryUS Government Resource
- https://bugzilla.redhat.com/show_bug.cgi?id=995168Issue TrackingThird Party Advisory
- https://hackerone.com/reports/254895ExploitThird Party Advisory
- https://lists.apache.org/thread.html/r7f0e9cfd166934172d43ca4c272b8bdda4a3430362
- https://support.f5.com/csp/article/K14634Third Party Advisory
- https://www.blackhat.com/us-13/briefings.html#PradoThird Party Advisory
- https://www.djangoproject.com/weblog/2013/aug/06/breach-and-django/Third Party Advisory
- http://breachattack.com/Third Party Advisory
- http://github.com/meldium/breach-mitigation-railsThird Party Advisory
- http://security.stackexchange.com/questions/20406/is-http-compression-safe#20407ExploitThird Party Advisory
FAQ
What is CVE-2013-3587?
CVE-2013-3587 is a vulnerability with a CVSS score of 5.9 (MEDIUM). The HTTPS protocol, as used in unspecified web applications, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which makes it easier for man-in-the-middle at...
How severe is CVE-2013-3587?
CVE-2013-3587 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2013-3587?
Check the references section above for vendor advisories and patch information. Affected products include: F5 Big-Ip Access Policy Manager, F5 Big-Ip Advanced Firewall Manager, F5 Big-Ip Analytics, F5 Big-Ip Application Acceleration Manager, F5 Big-Ip Application Security Manager.