• IDP Daily Update #1375
  posted: 02/27/09
  
• NSM Daily Update #1375
  posted: 02/27/09
  
• Deep Inspection 5.3r5 and above, 5.4, 6.0 #1375
  posted: 02/27/09
  
• Deep Inspection 5.1, 5.2, 5.3r4 and below #1361
  posted: 02/27/09
  
• Deep Inspection 5.0 #1132
  posted: 04/01/08
  
• Antivirus
  posted: 02/26/09

Text Size:        

• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: F5 BIG-IP HTTP Pipelining OneConnect Information Leakage Vulnerability

Severity: HIGH

Description:

F5 BIG-IP is an appliance that provides a high-availability load balancing service.

The F5 BIG-IP appliance is reported prone to an information leakage vulnerability. It is reported that the vulnerability is triggered when a browser that is using HTTP pipelining is employed to request a web page from a web server that is being load-balanced by a BIG-IP appliance.

HTTP pipelining is a method where multiple HTTP requests may be sent to a HTTP server without waiting for responses corresponding to each individual request.

It is reported that when a 'keep-alive' session is negotiated under the aforementioned conditions or a virtual server configured to use a delayed binding feature (i.e. rule, cookie persistence, or header modification) is employed, data from sessions may be served to incorrect clients. This will result in the corruption of the active session and potentially a loss of sensitive data as web content from a session may be served to a client that did not make the original request.

It is not believed that a remote attacker will be able to control the behavior of the affected appliance during a pipelined request, as a result it is conjectured that this vulnerability may be exploited to trigger a partial denial of service. Additionally, a successful attack may result in a disclosure of potentially sensitive information to unauthorized users.

This vulnerability is reported to affect BIG-IP versions 4.0 through 4.6.2 and BIG-IP Blade Controller versions 4.2.1 through 4.6.2, that have 'OneConnect/Web Aggregation' functionality enabled.

Affected Products:

• F5 BIG-IP Blade Controller 4.2.1
• F5 BIG-IP Blade Controller 4.2.3 PTF-01
• F5 BIG-IP Blade Controller 4.6.0
• F5 BIG-IP Blade Controller 4.6.2
• F5 BigIP 4.2.0
• F5 BigIP 4.3.0
• F5 BigIP 4.4.0
• F5 BigIP 4.5.0
• F5 BigIP 4.5.10
• F5 BigIP 4.5.11
• F5 BigIP 4.5.6
• F5 BigIP 4.5.9
• F5 BigIP 4.6.0
• F5 BigIP 4.6.2

References:

• F5 Software: BigIP Product Information
• Joe - Firefox PSA: Firefox PSA