6

我有一个客户端正在运行 PCI 合规性扫描并获得以下信息:

BEAST (Browser Exploit Against SSL/TLS) Vulnerability
The SSL protocol encrypts data by using CBC mode with chained
initialization vectors. This allows an attacker, which is has gotten
access to an HTTPS session via man-in-the-middle (MITM) attacks or other means, to obtain plain text HTTP headers via
a blockwise chosen-boundary attack (BCBA) in conjunction with
Javascript code that uses the HTML5 WebSocket API, the Java
URLConnection API, or the Silverlight WebClient API. This
vulnerability is more commonly referred to as Browser Exploit Against
SSL/TLS or "BEAST".
CVE: CVE-2011-3389
NVD: CVE-2011-3389
Bugtraq: 49778
CVSSv2: AV:N/AC:M/Au:N/C:P/I:N/A:N(4.30)
Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=665814,
http://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslciphersuite,
http://technet.microsoft.com/en-us/security/bulletin/ms12-006
Service: http
Evidence:
Cipher Suite: SSLv3 : DES-CBC3-SHA
Cipher Suite: SSLv3 : RC4-SHA
Cipher Suite: SSLv3 : RC4-MD5
Cipher Suite: TLSv1 : AES256-SHA
Cipher Suite: TLSv1 : AES128-SHA
Cipher Suite: TLSv1 : DES-CBC3-SHA
Cipher Suite: TLSv1 : RC4-SHA
Cipher Suite: TLSv1 : RC4-MD5

他们的站点托管在 Windows Azure 上;由于这些服务器是托管的,有没有推荐的方法来填补这个漏洞?

4

1 回答 1

2

你到底在 Azure 中运行什么?它是 Web 角色吗?Azure 网站?您自己的 IaaS 模式下的 Windows 服务器?

如果您正在运行 Web 角色,您是否正在运行最新的 Windows 操作系统?Microsoft 于 2012 年 4 月在 Web 角色中修补了此问题。

http://msdn.microsoft.com/en-us/library/windowsazure/hh967599.aspx

如果您通过 IaaS 模式运行 Windows Server,则您自己负责修补服务器。

于 2012-12-22T01:34:18.480 回答