• Hi, Pleskians! We are running a UX testing of our upcoming product intended for server management and monitoring.
    We would like to invite you to have a call with us and have some fun checking our prototype. The agenda is pretty simple - we bring new design and some scenarios that you need to walk through and succeed. We will be watching and taking insights for further development of the design.
    If you would like to participate, please use this link to book a meeting. We will sent the link to the clickable prototype at the meeting.
  • (Plesk for Windows):
    MySQL Connector/ODBC 3.51, 5.1, and 5.3 are no longer shipped with Plesk because they have reached end of life. MariaDB Connector/ODBC 64-bit 3.2.4 is now used instead.
  • Our UX team believes in the in the power of direct feedback and would like to invite you to participate in interviews, tests, and surveys.
    To stay in the loop and never miss an opportunity to share your thoughts, please subscribe to our UX research program. If you were previously part of the Plesk UX research program, please re-subscribe to continue receiving our invitations.
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Question Are Plesk servers susceptible to TLS BREACH attacks? (cve-2013-3587)

M

Mark_NLD

Basic Pleskian
Server operating system version
Ubuntu 22.04
Plesk version and microupdate number
18.0.66 Update #2
Hello everyone,

A well known vulnerability scanner reported that our Plesk server (Ubuntu 22, Obsidian 18.0.66 Update #2) is vulnerable for TLS BREACH attacks (cve-2013-3587).
The vulnerability scanner checks if the remote web server has HTTP compression enabled and if it does report the vulnerability. But even with HTTP compression enabled the web application hosted on the web server might not be vulnerable.

Should I disable HTTP compression on all our Plesk servers? Or has Plesk mitigated this thread in another way?

Looking forward to your feedback!

Regards,
Mark
 
Those would fall under Nginx and Apache, and Plesk does a good job at making sure that the versions is pretty up to date. Considering the age of the vulnerability it's safe to assume that as long as you've been keeping plesk up to date then apache and nginx would be up to date as well which would had patched it out assuming it was vulnerable to begin with.

Also I've been reading up on it and I've read that a good number of vulnerability scanners would still report that vulnerability just because you have compression enabled (like you've mention).
 
You must log in or register to reply here.

Similar threads

Kulturmensch
Question Massive Brute-Force Attacks on Plesk Panel – Looking for Additional Protection Measures
Replies
15
Views
1K
Franky H
F
E
Issue PHP Chankro DOS attack
Replies
1
Views
1K
HHawk
HHawk
P
Question Drupal CMS 1.0 with Plesk: Composer PATH issue for automatic updates
Replies
5
Views
824
zed_den
Z
Daerik
Issue Error Upgrading Plesk Obsidian 18.0.63 to 18.0.64: HTTPS Error 404 - Not Found (MaxScale Repo)
Replies
6
Views
2K
Daerik
Daerik
B
Issue High latency, unreliable performance & 522 errors on a Plesk server that ran fine for 6+ months
Replies
8
Views
1K
HHawk
HHawk
Back
Top