
TicketBleed (CVE-2016-9244) (F5 BIG-IP) - 0x0
http://ticketbleed.com/
======
problems
Maybe I'm just a cynic, but do we really need cute exploit names for something
that only affects a quite small number of companies as they must be using an
F5 BIG-IP device?

~~~
jfindley
F5 Big-IP devices are the market leader in commercial load balancing
appliances. I think you rather underestimate the impact. I'm not making any
judgement on the branding, there are pros and cons to this approach, but it's
certainly something that's going to cause a lot of people pain.

~~~
problems
In the Alexa top 1M there were less than 1000 sites.

And sites smaller than that top 1M are even less likely to be using it.

I don't find that a very large impact personally. F5 knows who their customers
are and can easily contact them.

We don't need a big media panic blitz and dedicated domain name for this.

Fact of the matter is SSL accelerators just aren't all that popular now, SSL
got cheaper with session resumption and newer ciphers, CPUs got fast and
accelerated instructions for AES and all but a few people just use CDNs when
their needs go beyond that.

~~~
tyingq
These days, the F5 is valued more for it's intelligent load balancing than for
the SSL offload. The SSL termination is there more for being able to view the
request details / payload (for load balancing, app level routing, credit card
tokenization, etc) than to specifically offload the crypto work. It's fairly
common, in fact, for the downstream services to also be SSL.

------
koolba
PSA: This is _not_ OpenSSL (yay!)

> It is similar in spirit and implications to the well known Heartbleed
> vulnerability. It is different in that it exposes 31 bytes at a time instead
> of 64k, requiring more rounds to carry out an attack, and in that it affects
> the proprietary F5 TLS stack, not OpenSSL.

------
tk427
It shouldn't be overlooked that to be at risk to this vulnerability requires a
non-default option to be enabled. Said another way, by default the option that
would put you at risk is disabled, only if you have manually enabled it would
you be at risk.

