• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question Are Plesk servers susceptible to TLS BREACH attacks? (cve-2013-3587)

Mark_NLD

Basic Pleskian
Server operating system version
Ubuntu 22.04
Plesk version and microupdate number
18.0.66 Update #2
Hello everyone,

A well known vulnerability scanner reported that our Plesk server (Ubuntu 22, Obsidian 18.0.66 Update #2) is vulnerable for TLS BREACH attacks (cve-2013-3587).
The vulnerability scanner checks if the remote web server has HTTP compression enabled and if it does report the vulnerability. But even with HTTP compression enabled the web application hosted on the web server might not be vulnerable.

Should I disable HTTP compression on all our Plesk servers? Or has Plesk mitigated this thread in another way?

Looking forward to your feedback!

Regards,
Mark
 
Those would fall under Nginx and Apache, and Plesk does a good job at making sure that the versions is pretty up to date. Considering the age of the vulnerability it's safe to assume that as long as you've been keeping plesk up to date then apache and nginx would be up to date as well which would had patched it out assuming it was vulnerable to begin with.

Also I've been reading up on it and I've read that a good number of vulnerability scanners would still report that vulnerability just because you have compression enabled (like you've mention).
 
Back
Top