There are no workarounds that address this vulnerability. However, administrators can mitigate this vulnerability in one of two ways:
Disable the deflate, lzma, and brotli content-encoding types if they are not required.
Migrate to Cisco Secure Web Appliance Release 14.5.2, in which deflate, lzma, and brotli content-encoding types are disabled by default.
Disable the Content-Encoding Type
To disable a specific content-encoding type, use the following steps:
Log in to the admin console interface for the device.
Choose advancedproxyconfig > CONTENT-ENCODING.
Enter the number associated with the specific content-encoding type.
If the following message is displayed, enter Y at the prompt:
The encoding type <"content-encoding type"> is currently allowed
Do you want to block it? [N]> Y
If the following message is displayed, enter N at the prompt:
The encoding type <"content-encoding type"> is currently blocked
Do you want to allow it? [N]> N
Run the Commit command.
While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment.