【发布时间】:2012-12-21 21:44:15
【问题描述】:
我有一个客户端正在运行 PCI 合规性扫描并获得以下结果:
BEAST (Browser Exploit Against SSL/TLS) Vulnerability
The SSL protocol encrypts data by using CBC mode with chained
initialization vectors. This allows an attacker, which is has gotten
access to an HTTPS session via man-in-the-middle (MITM) attacks or other means, to obtain plain text HTTP headers via
a blockwise chosen-boundary attack (BCBA) in conjunction with
Javascript code that uses the HTML5 WebSocket API, the Java
URLConnection API, or the Silverlight WebClient API. This
vulnerability is more commonly referred to as Browser Exploit Against
SSL/TLS or "BEAST".
CVE: CVE-2011-3389
NVD: CVE-2011-3389
Bugtraq: 49778
CVSSv2: AV:N/AC:M/Au:N/C:P/I:N/A:N(4.30)
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=665814,
http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslciphersuite,
http://technet.microsoft.com/en-us/security/bulletin/ms12-006
Service: http
Evidence:
Cipher Suite: SSLv3 : DES-CBC3-SHA
Cipher Suite: SSLv3 : RC4-SHA
Cipher Suite: SSLv3 : RC4-MD5
Cipher Suite: TLSv1 : AES256-SHA
Cipher Suite: TLSv1 : AES128-SHA
Cipher Suite: TLSv1 : DES-CBC3-SHA
Cipher Suite: TLSv1 : RC4-SHA
Cipher Suite: TLSv1 : RC4-MD5
他们的网站托管在 Windows Azure 上;由于这些服务器是托管的,有没有推荐的方法来填补这个漏洞?
【问题讨论】:
-
stackoverflow.com/questions/11167152/… - 推荐的方法是不在 Azure 上托管需要 PCI 合规性的内容。
-
嗯,嗯,这很有帮助。谢谢!
标签: azure