7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Blue Coat products using affected versions of OpenSSL 1.0.2, 1.0.1, 1.0.0 and 0.9.8 are susceptible to one or more vulnerabilities. A remote attacker may exploit these vulnerabilities to obtain private key information and information stored in the target’s volatile memory. The attacker can also cause denial of service through application crashes due to memory corruption or illegal memory accesses.
The following products are vulnerable:
CVE |Affected Version(s)|Remediation
CVE-2015-3194 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
6.6 | Upgrade to 6.6.4.1
CVE-2015-3195, CVE-2015-3196 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
6.6 | Upgrade to later release with fixes.
CVE |Affected Version(s)|Remediation
CVE-2015-3194 | All versions prior to 1.3.8 | Upgrade to 1.3.8.
CVE |Affected Version(s)|Remediation
All CVEs | 6.1 (only when a Novell SSO realm is used) | An updated Novell SSO SDK is no longer available. Please, contact Novell for more information.
CVE |Affected Version(s)|Remediation
All CVEs | 2.1 and later | Not vulnerable, fixed in 2.1.1.1
CVE-2015-3194, CVE-2015-3195 | 1.3 | Upgrade to 1.3.6.1.
1.1, 1.2 | Upgrade to later release with fixes.
CVE |Affected Version(s)|Remediation
CVE-2015-3195 | 6.1 | Upgrade to 6.1.22.1.
CVE |Affected Version(s)|Remediation
CVE-2015-3194, CVE-2015-3195,
CVE-2015-3196 | 4.2 | Upgrade to 4.2.8.
CVE |Affected Version(s)|Remediation
CVE-2015-3194, CVE-2015-3195,
CVE-2015-3196 | 1.6 and later | Not vulnerable, fixed in 1.6.1.1
1.5 | Upgrade to 1.5.3.1.
1.4 | Upgrade to later release with fixes.
CVE |Affected Version(s)|Remediation
CVE-2015-3194, CVE-2015-3196 | 5.4 and later | Not vulnerable, fixed in 5.4.1
5.3 | Upgrade to 5.3.6.
CVE |Affected Version(s)|Remediation
CVE-2015-3194, CVE-2015-3196 | 5.3 | Upgrade to 5.3.6.
CVE |Affected Version(s)|Remediation
CVE-2015-3194, CVE-2015-3196 | 5.3 | Upgrade to 5.3.6.
CVE |Affected Version(s)|Remediation
CVE-2015-3194 | 9.2 | Upgrade to 9.2.13p1.
CVE |Affected Version(s)|Remediation
CVE-2015-3194 | 11.6 and later | Not vulnerable, fixed in 11.6.1.1
11.5 | Upgrade to 11.5.3.1.
11.2, 11.3, 11.4 | Upgrade to later release with fixes.
CVE |Affected Version(s)|Remediation
CVE-2015-3194 | 9.2 | Upgrade to 9.2.13p1.
CVE |Affected Version(s)|Remediation
CVE-2015-3194 | 1.1 | Upgrade to 1.1.2.1.
CVE |Affected Version(s)|Remediation
CVE-2015-3194, CVE-2015-3195 | 3.5 | Upgrade to 3.5.4.1.
CVE |Affected Version(s)|Remediation
CVE-2015-3195 | 3.4 | Upgrade to latest release of Unified Agent with fixes.
CVE |Affected Version(s)|Remediation
CVE-2015-3194 | 6.7 and later | Not vulnerable, fixed in 6.7.1.1
6.6 | Upgrade to 6.6.4.1.
6.5 | Upgrade to 6.5.9.2.
CVE-2015-3195, CVE-2015-3196 | 6.7 and later | Not vulnerable, fixed in 6.7.1.1
6.6 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
6.5 (not vulnerable to known vectors of attack) | Upgrade to 6.5.10.4.
CVE |Affected Version(s)|Remediation
CVE-2015-3194, CVE-2015-3196 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.4.1.
9.5 | Upgrade to 9.5.3.1.
CVE-2015-3195 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.4.1.
9.5 | Upgrade to 9.5.3.1.
9.4 | Upgrade to later release with fixes.
CVE |Affected Version(s)|Remediation
All CVEs | 3.10 and later | Not vulnerable, fixed in 3.10.1.1
CVE-2015-3194, CVE-2015-3195 | 3.9 | Upgrade to 3.9.3.1.
3.8.4FC | Upgrade to 3.8.4FC-55.
3.8 | Upgrade to later release with fixes.
CVE-2015-3193, CVE-2015-1794 | 3.9 | Upgrade to 3.9.3.1.
CVE |Affected Version(s)|Remediation
CVE-2015-3193, CVE-2015-3194 | 4.7 and later | Not vulnerable, fixed in 4.7.1
4.6 | Upgrade to later release with fixes.
4.1 | Not vulnerable
CVE |Affected Version(s)|Remediation
CVE-2015-3195 | 11.0 | Not available at this time
10.0 | Not available at this time
9.7 | Upgrade to later release with fixes.
CVE-2015-3194, CVE-2015-3196 | 11.0 | Not available at this time
The following products contain a vulnerable version of OpenSSL, but are not vulnerable to known vectors of attack:
CVE |Affected Version(s)|Remediation
CVE-2015-3195 | 3.4 | Upgrade to 3.4.2.5.
CVE |Affected Version(s)|Remediation
CVE-2015-3195 | 1.6 | Upgrade to latest release of Unified Agent with fixes.
CVE |Affected Version(s)|Remediation
CVE-2015-3195 | 7.2 and later | Not vulnerable, fixed in 7.2.1
7.1 | Upgrade to 7.1.11.
7.0 | Upgrade to later release with fixes.
6.6 | Upgrade to 6.6.12.
Blue Coat products may act as both client and server in SSL/TLS connections, and may use application functionality for cryptographic operations. Blue Coat products act as a client when connecting to Blue Coat services such as WebPulse, DRTR, and licensing and subscription services. Products should be considered vulnerable in all interfaces that provide SSL/TLS connections for data and management interfaces unless the CVE is specific to SSL/TLS client or server functionality (as noted in the descriptions above) or unless otherwise stated below:
Blue Coat products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Blue Coat urges our customers to update the versions of OpenSSL that are natively installed for Client Connector, ProxyClient, and Reporter 9.x for Linux.
Blue Coat products do not enable or use all functionality within OpenSSL. Products that do not utilize or enable the functionality described in a CVE are not vulnerable to that CVE. However, fixes for those CVEs will be included in the patches that are provided. The following products include vulnerable versions of OpenSSL, but do not use the functionality described in the CVEs and are not known to be vulnerable.
The following products are not vulnerable:
AuthConnector
Blue Coat HSM Agent for the Luna SP
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
Mail Threat Defense
ProxyAV ConLog and ConLogXP
Web Isolation
Symantec no longer provides vulnerability information for the following products:
DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
IntelligenceCenter **IntelligenceCenter Data Collector
NetDialog NetX is a replacement product for IntelligenceCenter. **
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 78705 / NVD: CVE-2015-3193 Impact| Information disclosure Description | A flaw in the modular exponentiation routine used by the DH, RSA, and DSA protocols allows a remote attacker to obtain private key information from targets running on 64-bit platforms.
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 78623 / NVD: CVE-2015-3194 Impact| Denial of service Description | A flaw in RSA PSS signature verification allows a remote attacker to cause illegal memory accesses on the target, resulting in application crashes and denial of service.
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 78626 / NVD: CVE-2015-3195 Impact| Information disclosure Description | A flaw in PKCS#7 and CMS data parsing allows a remote attacker to access information from the process memory of vulnerable applications.
Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 78622 / NVD: CVE-2015-3196 Impact| Denial of service Description | A flaw in PSK parameter handling allows a remote attacker to cause memory corruption on the target, resulting in application crashes and denial of service.
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| NVD: CVE-2015-1794 Impact| Denial of service Description | A flaw in anonymous Diffie-Hellman parameter handling allows a remote attacker to cause denial of service in SSL clients.
Blue Coat's SSL Visibility appliance can be used to prevent attacks using CVE-2015-3196 and CVE-2015-1794. Customers using SSLV in inline outbound deployments can protect SSL clients by blocking SSL flows that use PSK cipher suites (CVE-2015-3196) and ADH cipher suites (CVE-2015-1794). SSLV 3.x customers can use the following configuration steps:
For SSLV versions other than 3.x, refer to the appropriate SSL Visibility Administration & Deployment Guide or contact Blue Coat support for instructions how to configure the SSLV policy with blocking rules. Before blocking SSL cipher suites in a production network, verify that no existing SSL applications require them to function properly.
CVE-2015-3195 can be remediated by ensuring that PKCS#7 and CMS content always come from a trusted source.
CVE-2015-3196 can be remediated in Reporter 9.5 by disabling PSK cipher suites for SSL connections.
By default ICSP, NNP, and NSP do not enable SSL/TLS cipher suites using PSK key exchange. Customers who do not enable these cipher suites prevent attacks against ICSP, NNP, and NSP using CVE-2015-3196.
By default XOS does not use SSL client connections and does not enable SSL/TLS cipher suites using PSK key exchange. Customers who do not change this default behavior prevent attacks against XOS using CVE-2015-3194 and CVE-2015-3196.
OpenSSL Security Advisory - <https://openssl.org/news/secadv/20151203.txt>
2020-04-19 Information about IntelligenceCenter and IntelligenceCenter Data Collector is not available. NetDialog NetX is a replacement product for IntelligenceCenter. Advisory status moved to Closed.
2019-10-02 Web Isolation is not vulnerable.
2018-04-22 PacketShaper S-Series 11.10 is not vulnerable.
2017-11-06 ASG 6.7 is not vulnerable.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-30 A fix for the remaining CVEs in ProxySG 6.5 is available in 6.5.10.4.
2017-06-23 A fix for the remaining CVEs in ASG 6.6 will not be provided. Please upgrade to the latest version with the vulnerability fixes.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-17 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-06 MC 1.8 is not vulnerable. SSLV 4.0 is not vulnerable. ProxySG 6.7 is not vulnerable because the fixes are available in 6.7.1.1. Fixes for the remaining CVEs in ProxySG 6.5 and 6.6 will not be provided. Please upgrade to the latest version with the vulnerability fixes. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2017-02-07 A fix for Android Mobile Agent is available in 1.3.8.
2016-11-29 A fix for Director is available in 6.1.22.1. PacketShaper S-Series 11.7 is not vulnerable. SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-09-22 MC 1.6 and 1.7 are not vulnerable.
2016-09-13 PacketShaper S-Series 11.2, 11.3, 11.4, and 11.5 are vulnerable. PacketShaper S-Series 11.6 is not vulnerable. A fix for PacketShaper S-Series 11.5 is available in 11.5.3.1. Fixes for PacketShaper S-Series 11.2, 11.3, and 11.4 will not be provided.
2016-09-01 A fix for SSLV 3.8.4FC is available in 3.8.4FC-55.
2016-08-12 Security Analytics 7.2 is not vulnerable.
2016-08-10 A fix for Unified Agent is available in 4.7.1.
2016-06-23 A fix for CVE-2015-3194 is available in 6.6.4.1. A fix for the other CVEs is not available at this time.
2016-06-21 A fix for CVE-2015-3194 in ProxySG 6.6 is available in 6.6.4.1. A fix for the other CVEs is not available at this time.
2016-06-16 PolicyCenter S-Series 1.1 is vulnerable to CVE-2015-3194. It also has vulnerable code for CVE-2015-3195 and CVE-2015-3196, but is not vulnerable to known vectors of attack. A fix is available in 1.1.2.1.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-05-18 Fixes are available in Security Analytics 6.6.12 and 7.1.11.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-05-06 A fix for PacketShaper 9.2 is available in 9.2.13p1. A fix for PolicyCenter 9.2 is available in 9.2.13p1.
2016-05-02 It was previously reported that ProxyClient is not vulnerable. Further investigation has shown that ProxyClient 3.4 for Windows is vulnerable to CVE-2015-3195. A fix for ProxyClient will not be provided. Please upgrade to the latest version of Unified Agent with the vulnerability fix.
2016-04-24 Mail Threat Defense is not vulnerable.
2016-04-01 A fix for Reporter 10.1 is available in 10.1.4.1.
2016-03-14 A fix for CAS 1.3 is available in 1.3.6.1. A fix for MC 1.5 is available in 1.5.3.1.
2016-03-10 A fix for MAA 4.2 is available in 4.2.8.
2016-03-04 A fix for Reporter 9.5 is available in 9.5.3.1.
2016-02-16 A fix for CVE-2015-3194 is available in ProxySG 6.5.9.2.
2016-02-12 MC 1.5 is vulnerable. A fix for MC 1.4 will not be provided. Please upgrade to the latest version with the vulnerability fixes.
2016-01-22 A fix is available for SSLV 3.9.
2016-01-19 A fix is available for ProxyAV.
2016-01-18 A patch is available for CacheFlow.
2015-12-21 CacheFlow, ProxyAV, Security Analytics and SSLV have vulnerable OpenSSL software for some CVEs listed in the Advisory Details section, but do not use the vulnerable functionality and are not known to be vulnerable. The vulnerable OpenSSL software will be patched in future releases.
2015-12-17 Client Connector has a vulnerable version of OpenSSL, but does not use the vulnerable code. A fix will not be provided - customers should upgrade to the latest version of Unified Agent with the vulnerability fix.
2015-12-16 Customers can use SSL Visibility to defend against attacks using CVE-2015-3196 and CVE-2015-1794.
2015-12-13 Reporter is vulnerable. CVE-2015-3194 in SSLV only affects SSL client connections.
2015-12-10 initial public release
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P