F5 BIG-IP HTTP Pipelining OneConnect Information Leakage Vulnerability
BID:12464
Info
F5 BIG-IP HTTP Pipelining OneConnect Information Leakage Vulnerability
| Bugtraq ID: | 12464 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 07 2005 12:00AM |
| Updated: | Feb 07 2005 12:00AM |
| Credit: | The discoverer of this vulnerability is not known. |
| Vulnerable: |
F5 BIG-IP Blade Controller 4.6.2 F5 BIG-IP Blade Controller 4.6 F5 BIG-IP Blade Controller 4.2.3 PTF-01 F5 BIG-IP Blade Controller 4.2.1 F5 BIG-IP 4.6.2 F5 BIG-IP 4.6 F5 BIG-IP 4.5.11 F5 BIG-IP 4.5.10 F5 BIG-IP 4.5.9 F5 BIG-IP 4.5.6 F5 BIG-IP 4.5 F5 BIG-IP 4.4 F5 BIG-IP 4.3 F5 BIG-IP 4.2 |
| Not Vulnerable: | |
Discussion
F5 BIG-IP HTTP Pipelining OneConnect Information Leakage Vulnerability
The F5 BIG-IP appliance is reported prone to an information leakage vulnerability. It is reported that the vulnerability is triggered when a browser that is using HTTP pipelining is employed to request a web page from a web server that is being load-balanced by a BIG-IP appliance.
It is not believed that a remote attacker will be able to control the behavior of the affected appliance during a pipelined request, as a result it is conjectured that this vulnerability may be exploited to trigger a partial denial of service. Additionally, a successful attack may result in a disclosure of potentially sensitive information to unauthorized users.
This vulnerability is reported to affect BIG-IP versions 4.0 through 4.6.2 and BIG-IP Blade Controller versions 4.2.1 through 4.6.2, that have 'OneConnect/Web Aggregation' functionality enabled.
The F5 BIG-IP appliance is reported prone to an information leakage vulnerability. It is reported that the vulnerability is triggered when a browser that is using HTTP pipelining is employed to request a web page from a web server that is being load-balanced by a BIG-IP appliance.
It is not believed that a remote attacker will be able to control the behavior of the affected appliance during a pipelined request, as a result it is conjectured that this vulnerability may be exploited to trigger a partial denial of service. Additionally, a successful attack may result in a disclosure of potentially sensitive information to unauthorized users.
This vulnerability is reported to affect BIG-IP versions 4.0 through 4.6.2 and BIG-IP Blade Controller versions 4.2.1 through 4.6.2, that have 'OneConnect/Web Aggregation' functionality enabled.
Exploit / POC
F5 BIG-IP HTTP Pipelining OneConnect Information Leakage Vulnerability
No exploit is required.
No exploit is required.
Solution / Fix
F5 BIG-IP HTTP Pipelining OneConnect Information Leakage Vulnerability
Solution:
The vendor has released an advisory and fixes to address this vulnerability, the advisory can be found at the following location:
http://tech.f5.com/home/bigip/solutions/security/sol4152.html
Customers are advised to peruse the aforementioned advisory for further details regarding obtaining and applying an appropriate fix. A valid account is required to access the advisory.
Solution:
The vendor has released an advisory and fixes to address this vulnerability, the advisory can be found at the following location:
http://tech.f5.com/home/bigip/solutions/security/sol4152.html
Customers are advised to peruse the aforementioned advisory for further details regarding obtaining and applying an appropriate fix. A valid account is required to access the advisory.
References
F5 BIG-IP HTTP Pipelining OneConnect Information Leakage Vulnerability
References:
References:
- BigIP Product Information (F5 Software)
- Firefox PSA (Joe - Firefox PSA)