Jun 2018 – SSL Forward Proxy vulnerability (CVE-2018-5527)

Since data privacy is the 1st pirority of objective in cyber world. We now internet connectivity heavy utilize of SSL cert. For instance SSL VPN, PKI, SSL web server,etc. Popular web portal receive large amount of connectiviies per second. And therefore the popluar solution is TCP offload. Install SSL server cert out of web server and install in web server front end. That is load balancer. Even though you said, you have TCP offload. But fundenmental limation told that SSL connections consume about twice as much memory as HTTP layer 7 connections, and four times as much memory as layer 4 with TCP proxy. Meanwhile huge amount of ssl session from cache while full garbage collection seems cause IO Thread owned lock delayed, and other I/O threads BLOCKED.

F5 now resolved their SSL forward proxy vulnerability (CVE-2018-5527). See below:

https://support.f5.com/csp/article/K20134942

But believe that it is a not easy ending story caused by the following factors!

1. Huge amount of ssl session from cache while full garbage collection seems cause IO Thread owned lock delayed, and other I/O threads BLOCKED.

2. SSL connections consume about twice as much memory as HTTP layer 7 connections, and four times as much memory as layer 4 with TCP proxy.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.