We have Exchange 2013 CU5 servers in our environment on which identified CVE-2012-4929.Shall we implement the below solution
SSL/TLS Compression Algorithm Information Leakage Vulnerability
|
Solution:
Compression algorithms should be disabled. The method of disabling it varies depending on the application you're running.
If you're using a hardware device or software not listed here, you'll need to check the manual or vendor support options. For IIS SSL Compression is referred to as HTTP compression. It can be disabled from IIS configuration->Web Site->Properties->Service (tab).HTTP Compression checkboxes need to be turned off. For Redhat systems with Zlib Compression. - Set the OPENSSL_NO_DEFAULT_ZLIB environment variable can be used to disable zlib compression support. - Further details can be found under Bugzilla Redhat 857051. (https://bugzilla.redhat.com/show_bug.cgi?id=857051c5 ) For other HTTP servers please check the vendors documentation on how to disable SSL compression. Best practices for SSL/TLS Deployment can be found at QUALYS SSL Labs. (https://www.ssllabs.com/) |