[Security] BREACH vulnerability is not mitigated in default configuration
Bug #1403283 reported by
Thomas Ward
This bug affects 2 people
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Nginx |
Confirmed
|
Medium
|
Unassigned | ||
| nginx (Debian) |
Fix Released
|
Unknown
|
|||
| nginx (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
The BREACH vulnerability (http://
Details on the BREACH vulnerability are available at the link above. HTTP level compression served over a TLS connection is vulnerable to the same attack as CRIME, but without the TLS-level compression.
In Vivid, and likely the older variants of Ubuntu, this is easily mitigated by changing `gzip on;` in the nginx.conf file to `gzip off;` which disables `gzip` compression except where overridden later by sites' configurations.
This impacts Ubuntu, the PPAs, and Debian as well. (I will likely upstream this to Debian tomorrow, but will add the Nginx tracker here on Launchpad for the PPAs)
CVE References
| Changed in nginx: | |
| importance: | Undecided → High |
| importance: | High → Medium |
| Changed in nginx (Debian): | |
| status: | Unknown → New |
Revision history for this message
| Thomas Ward (teward) wrote | #1 |
| Changed in nginx (Ubuntu): | |
| status: | New → Confirmed |
| Changed in nginx (Debian): | |
| status: | New → Fix Committed |
| Changed in nginx: | |
| status: | New → Confirmed |
| Changed in nginx (Debian): | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
Additional notes:
Disabling HTTP-level compression by default is not a decent option to solving this. Mitigation is mostly on an application level, then, however there are third-party modules that can be included (in the Universe binaries) which would add length hiding as a potential mitigation method.
A more detailed description on this whole issue can be found here on my blog, describing what BREACH is and possible mitigation methods. It also provides three possible mitigation methods, one which can be done already by default, one which can be done at application levels, and one which can be done with a separate module. http://