7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
Blue Coat products using affected versions of Tomcat 8.x, 7.x, and 6.x are susceptible to multiple vulnerabilities. A remote attacker may exploit these vulnerabilities to gain unauthorized read access or escalated privileges, or to conduct denial of service, HTTP request smuggling, or session fixation attacks.
The following products are vulnerable:
CVE |Affected Version(s)|Remediation
CVE-2014-0227, CVE-2014-0119,
CVE-2014-0099, CVE-2014-0096,
CVE-2014-0075, CVE-2014-0050 | 1.3 and later | Not vulnerable, fixed in 1.3.1.1
1.2 | Upgrade to 1.2.4.5.
1.1 | Upgrade to later release with fixes.
CVE-2014-0230 | 1.3 and later | Not vulnerable, fixed in 1.3.1.1
1.2 (not vulnerable to known vectors of attack) | Upgrade to 1.2.4.5.
1.1 | Upgrade to later release with fixes.
CVE-2014-7810 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1
1.3 (not vulnerable to known vectors of attack) | Upgrade to 1.3.7.1.
1.1, 1.2 | Upgrade to later release with fixes.
CVE |Affected Version(s)|Remediation
CVE-2014-7810, CVE-2014-0230,
CVE-2014-0227 | 6.1 | Upgrade to 6.1.20.1.
CVE |Affected Version(s)|Remediation
All CVEs except CVE-2014-0095,
CVE-2014-0050 | 3.3 | Upgrade to 3.3.3.1.
3.2 | Upgrade to later release with fixes.
CVE |Affected Version(s)|Remediation
CVE-2014-0230, CVE-2014-0227 | 1.5 and later | Not vulnerable, fixed in 1.5.1.1.
1.4 | Upgrade to 1.4.2.1.
CVE |Affected Version(s)|Remediation
All CVEs except CVE-2014-0095,
CVE-2014-0050 | 11.0 | Not available at this time
The following products have a vulnerable version of Apache Tomcat, but are not vulnerable to known vectors of attack:
CVE |Affected Version(s)|Remediation
CVE-2014-0227, CVE-2014-7810 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1.
CVE-2014-0227 | 6.6 | Upgrade to 6.6.3.1.
CVE-2014-7810 | 6.6 | Upgrade to 6.6.5.1.
CVE |Affected Version(s)|Remediation
CVE-2014-7810 | 1.1 | Not available at this time
The Blue Coat HSM Agent for the SafeNet Luna SP is not vulnerable, but the agent does use the Apache Tomcat instance installed on the SafeNet Luna SP. Customers using the agent are advised to contact SafeNet for more information about these vulnerabilities.
These vulnerabilities can be exploited only through the management interfaces for CAS, Director, Management Center, and X-Series XOS. Limiting the machines and IP address that able to connect to the management interface reduces the threat significantly, and thereby reduces the CVSS v2 base scores for each of the CVEs. The adjusted CVSS v2 base scores and severity are:
Blue Coat products do not enable or use all functionality within Apache Tomcat. Products that do not utilize or enable the functionality described in a CVE are not vulnerable to that CVE. However, fixes for those CVEs will be included in the patches that are provided. The following products include vulnerable versions of Apache Tomcat, but do not use the functionality described in the CVEs and are not known to be vulnerable.
The following products are not vulnerable:
Android Mobile Agent
Auth Connector
BCAAA
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter Data Collector
K9
Malware Analysis Appliance
Malware Analyzer G2
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
OPIC
PacketShaper
PacketShaper S-Series
PolicyCenter PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics Platform
SSL Visibility
Unified Agent
Web Isolation
The following products are under investigation:
X-Series XOS 10.0.5, 9.7.8, and 9.6.11
Blue Coat no longer provides vulnerability information for the following products:
DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 74665 / NVD: CVE-2014-7810 Impact| Security control bypass Description | A flaw allows an attacker to bypass the SecurityManager protection using a malicious web application. This vulnerability affects Blue Coat products that accept input from untrusted sources.
Severity / CVSSv2 | High / 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) References| SecurityFocus: BID 74475 / NVD: CVE-2014-0230 Impact| Denial of service Description | A flaw in the handling of HTTP responses allows an attacker to send a series of aborted uploads resulting in memory exhaustion that could lead to a crash or degraded operation
Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P) References| SecurityFocus: BID 72717 / NVD: CVE-2014-0227 Impact| Security control bypass, denial of service Description | There exists a flaw in the handling of attempts to read data after an error has already occurred. An attacker can exploit this flaw to conduct HTTP request smuggling attacks or to cause a denial of service by streaming crafted data to the vulnerable host.
Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 67669 / NVD: CVE-2014-0119 Impact| Information disclosure Description | A flaw allows an attacker to gain read access to unauthorized files using a crafted web application.
Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 67668 / NVD: CVE-2014-0099 Impact| Security control bypass Description | A flaw allows an attacker to conduct HTTP request smuggling attacks using a crafted header when the Tomcat installation is behind a reverse proxy such as ProxySG.
Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 67667 / NVD: CVE-2014-0096 Impact| Information disclosure Description | A flaw allows an attacker to bypass the SecurityManager protection using a crafted web application to read arbitrary files.
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 67673 / NVD: CVE-2014-0095 Impact| Denial of service Description | An input validation flaw allows an attacker to cause a denial of service.
Severity / CVSSv2 | Medium / 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 67671 / NVD: CVE-2014-0075 Impact| Denial of service Description | A flaw allows an attacker to cause a denial of service due to resource consumption.
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 65400 / NVD: CVE-2014-0050 Impact| Denial of service Description | A flaw allows an attacker to cause a denial of service.
Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 65769 / NVD: CVE-2014-0033 Impact| Session hijacking Description | A flaw in handling of session IDs in a URL allows an attacker to conduct session fixation attacks.
Limit access to management consoles to only the machines, IP addresses, or subnets that require access.
Apache Tomcat 8.x vulnerabilities - <https://tomcat.apache.org/security-8.html>
Apache Tomcat 7.x vulnerabilities - <https://tomcat.apache.org/security-7.html>
Apache Tomcat 6.x vulnerabilities - <https://tomcat.apache.org/security-6.html>
2020-04-18 Advisory status moved to Closed.
2019-10-02 Web Isolation is not vulnerable.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-07-20 MC 1.10 is not vulnerable.
2017-05-29 A fix for ASG is available in 6.6.5.1.
2017-05-17 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-02-15 MC 1.8 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-15 MC 1.6 and 1.7 are not vulnerable.
2016-09-15 ASG 6.6 has a vulnerable version of Apache Tomcat, but is not vulnerable to known vectors of attack.
2016-08-12 A fix for all CVEs in CAS 1.3 is available in 1.3.7.1.
2016-06-11 PolicyCenter S-Series is not vulnerable.
2016-05-24 MC 1.5 is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-05-06 A fix for MC 1.4 is available in 1.4.2.1.
2016-05-02 A fix for IC 3.3 is available in 3.3.3.1.
2016-04-25 MTD 1.1 and CAS 1.3 have vulnerable code for CVE-2014-7810, but are not vulnerable to known vectors of attack. Previously it was reported that a fix for CVE-2014-7810 in CAS is provided in 1.2.4.5. New information indicates that all CAS 1.2.x versions contain the vulnerable code for this CVE, but are not vulnerable to known vectors of attack. A patch will be provided in CAS 1.3.
2015-10-01 CAS is vulnerable and a fix is available; CAS is not vulnerable to CVE-2014-0230 and CAS fix addresses all vulnerabilities
2015-07-23 initial public release