Question Are Plesk servers susceptible to TLS BREACH attacks? (cve-2013-3587)

[Mark_NLD]

Server operating system version

Ubuntu 22.04

Plesk version and microupdate number

18.0.66 Update #2

Hello everyone,

A well known vulnerability scanner reported that our Plesk server (Ubuntu 22, Obsidian 18.0.66 Update #2) is vulnerable for TLS BREACH attacks (cve-2013-3587).
The vulnerability scanner checks if the remote web server has HTTP compression enabled and if it does report the vulnerability. But even with HTTP compression enabled the web application hosted on the web server might not be vulnerable.

Should I disable HTTP compression on all our Plesk servers? Or has Plesk mitigated this thread in another way?

Looking forward to your feedback!

Regards,
Mark

 

[scsa20]

Those would fall under Nginx and Apache, and Plesk does a good job at making sure that the versions is pretty up to date. Considering the age of the vulnerability it's safe to assume that as long as you've been keeping plesk up to date then apache and nginx would be up to date as well which would had patched it out assuming it was vulnerable to begin with.

Also I've been reading up on it and I've read that a good number of vulnerability scanners would still report that vulnerability just because you have compression enabled (like you've mention).