ASA-202105-11 - log back

ASA-202105-11 edited at 20 May 2021 18:09:12
Workaround
- - CVE-2021-32917 can be mitigated by configuring 'proxy65_acl' to a list of XMPP domains that should be allowed to use the file transfer proxy.
+ - CVE-2021-32917 can be mitigated by configuring 'proxy65_acl' to a
+ list of XMPP domains that should be allowed to use the file transfer
+ proxy.
- - CVE-2021-32918 can be partly mitigated using stricter settings for stanza size limits, rate limits and garbage collection parameters, see the referenced upstream advisory for more details.
+ - CVE-2021-32918 can be partly mitigated using stricter settings for
+ stanza size limits, rate limits and garbage collection parameters, see
+ the referenced upstream advisory for more details.
- - CVE-2021-32919 can be mitigated by removing or disabling the ‘dialback_without_dialback’ option.
+ - CVE-2021-32919 can be mitigated by removing or disabling the
+ ‘dialback_without_dialback’ option.
- - CVE-2021-32920 can be mitigated by setting the following ssl option (or add to your existing one if you have one):
+ - CVE-2021-32920 can be mitigated by setting the following ssl option
+ (or add to your existing one if you have one):
ssl = {
options = {
no_renegotiation = true;
}
}
- - CVE-2021-32921 can partly be mitigated by enabling and configuring rate limits through mod_limits in order to lengthen the amount of time required to successfully complete a timing attack.
+ - CVE-2021-32921 can partly be mitigated by enabling and configuring
+ rate limits through mod_limits in order to lengthen the amount of time
+ required to successfully complete a timing attack.
ASA-202105-11 edited at 19 May 2021 15:14:14
Workaround
+ - CVE-2021-32917 can be mitigated by configuring 'proxy65_acl' to a list of XMPP domains that should be allowed to use the file transfer proxy.
+
+ - CVE-2021-32918 can be partly mitigated using stricter settings for stanza size limits, rate limits and garbage collection parameters, see the referenced upstream advisory for more details.
+
+ - CVE-2021-32919 can be mitigated by removing or disabling the ‘dialback_without_dialback’ option.
+
+ - CVE-2021-32920 can be mitigated by setting the following ssl option (or add to your existing one if you have one):
+
+ ssl = {
+ options = {
+ no_renegotiation = true;
+ }
+ }
+
+ - CVE-2021-32921 can partly be mitigated by enabling and configuring rate limits through mod_limits in order to lengthen the amount of time required to successfully complete a timing attack.
ASA-202105-11 edited at 19 May 2021 11:13:00
Impact
+ A remote attacker could cause excessive use of the server's bandwidth and resources, leading to denial of service, impersonate other servers, or leak secret strings through timing attacks.
ASA-202105-11 created at 19 May 2021 11:10:07