SA110 : Java Deserialization Vulnerabilities

SUMMARY

Blue Coat products that deserialize unsafe Java objects from untrusted sources are susceptible to one or more vulnerabilities. A remote attacker can exploit these vulnerabilities to cause the target to execute arbitrary code.

AFFECTED PRODUCTS

Cloud Data Protection for Salesforce (CDP-SFDC)

CVE |Affected Version(s)|Remediation
CVE-2015-3253 | 4.9 and later | Not vulnerable, fixed in 4.9.1
4.7 | Upgrade to 4.7.6.
4.6 | Upgrade to 4.6.6.
2.4, 2.5, 4.5 | Upgrade to later releases with fixes.

Cloud Data Protection for Salesforce Analytics (CDP-WAVE)

CVE |Affected Version(s)|Remediation
CVE-2015-3253 | 4.9 and later | Not vulnerable, fixed in 4.9.1
4.7 | Upgrade to 4.7.6.

Cloud Data Protection for ServiceNow (CDP-SNOW)

CVE |Affected Version(s)|Remediation
CVE-2015-3253 | 4.9 and later | Not vulnerable, fixed in 4.9.1
4.7 | Upgrade to 4.7.6.
4.6 | Upgrade to 4.6.6.

Cloud Data Protection for Oracle CRM On Demand (CDP-OCRM)

CVE |Affected Version(s)|Remediation
CVE-2015-3253 | 2.4 | A fix will not be provided.

Cloud Data Protection for Oracle Sales Cloud (CDP-OSC)

CVE |Affected Version(s)|Remediation
CVE-2015-3253 | 4.9 and later | Not vulnerable, fixed in 4.9.1
4.8 | Upgrade to later releases with fixes.

Cloud Data Protection Communication Server (CDP-COMMSVR)

CVE |Affected Version(s)|Remediation
CVE-2015-3253 | 4.9 and later | Not vulnerable, fixed in 4.9.1
4.7 | Upgrade to 4.7.6.
4.6 | Upgrade to 4.6.6.
4.5 | Upgrade to later releases with fixes.

Cloud Data Protection Policy Builder (CDP-PBUILDER)

CVE |Affected Version(s)|Remediation
CVE-2015-3253 | 4.9 and later | Not vulnerable, fixed in 4.9.1
4.7 | Upgrade to 4.7.6.
4.6 | Upgrade to 4.6.6.

IntelligenceCenter (IC)

CVE |Affected Version(s)|Remediation
CVE-2015-3253 | 3.3 | Upgrade to a version of NetDialog NetX with fixes.

IntelligenceCenter Data Collector (IC Data Collector)

CVE |Affected Version(s)|Remediation
CVE-2015-3253 | 3.3 | Upgrade to a version of NetDialog NetX with fixes.

The following products contain vulnerable Java libraries, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2015-3253 | 6.7 | Upgrade to 6.7.4.9.
6.6 | Upgrade to later releases with fixes.

Content Analysis System (CAS)

CVE |Affected Version(s)|Remediation
CVE-2015-3253 | 2.4 and later | Not vulnerable, fixed in 2.4.1.1.
1.1, 1.2, 1.3, 2.1, 2.2, 2.3 | Upgrade to later releases with fixes.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2015-3253 | 1.1 | Upgrade to 1.1.2.1 for the Apache Commons Collections library. A fix for Spring Framework library is not available at this time.

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2015-3253 | 1.6 and later | Not vulnerable, fixed in 1.6.1.1.
1.5 | Upgrade to later releases with fixes.
1.4 | Upgrade to later releases with fixes.

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2015-3253 | 11.0 | Upgrade to 11.0.2
10.0 | Upgrade to 10.0.6.
9.7 | Upgrade to later releases with fixes.

ADDITIONAL PRODUCT INFORMATION

Blue Coat products that do not use Java object serialization and deserialization are not known to be vulnerable. However, some products contain affected versions of Java libraries that contain classes with unsafe deserialization methods. Fixes for the affected Java libraries will be included in the patches that are provided. The following products include affected versions of Java libraries, but do not use Java object serialization and are not known to be vulnerable:

• Advanced Secure Gateway *Content Analysis System *Mail Threat Defense *Management Center *X-Series XOS

ASG 6.6 and 6.7 have vulnerable versions of the Apache Commons Collections and Spring Framework libraries.

CAS 1.1 and later releases have a vulnerable version of the Apache Commons Collections and Spring Framework libraries.

MTD 1.1 has vulnerable versions of The Apache Commons Collections and Spring Framework libraries.

MC 1.4 and 1.5 have a vulnerable version of the Apache Commons Collections library.

XOS 9.7, 10.0, and 11.0 have a vulnerable version of the Apache Commons Collections library.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection Integration Server
Director
General Auth Connector Login Application
K9
Malware Analysis Appliance
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics
SSL Visibility
Unified Agent
Web Isolation

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

Java deserialization vulnerabilities are a class of vulnerabilities where the victim deserializes a serialized Java object received from an untrusted, potentially malicious source. An attacker can craft a chain of Java objects that are instances of classes with unsafe deserialization methods. The attacker then serializes the chain and sends it to the target. If the target has the unsafe classes in its Java classpath, it will deserialize the object by invoking the unsafe Java deserialization methods. The deserialization can cause the target to execute arbitrary Java functions, malicious Java bytecode, and system shell commands.

Security researchers have found classes with unsafe deserialization methods in popular Java libraries: Apache Commons Collections 3.x and 4.x (VU#576313), Apache Groovy (CVE-2015-3253), and Spring framework 4.x. This list is not exhaustive because future attacks may use combinations of different affected Java classes. An application does not need to use an affected Java class to be vulnerable. It only needs to have the affected class in its classpath to be able to deserialize objects of that class.

Java applications that deserialize Java objects from untrusted sources are vulnerable. Java serialization is widely used in Java network applications to encode Java objects in HTTP messages. It is also used in the Java Remote Method Invocation (RMI) API and in Java Management Extensions (JMX).

CVE-2015-3253​

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 75919 / NVD: CVE-2015-3253 Impact| Code Execution Description | Weak padding oracle flaw in SSLV 3.x when intercepting SSL/TLS traffic.

MITIGATION

Blue Coat’s ProxySG appliance can be used to detect and block network traffic containing serialized Java objects. Customers can use the following CPL syntax to block all serialized Java objects in Base64 form:

<proxy>
http.request[name,value].regex="\brO0ABXNyA[A-Za-z0-9+=/]{10,}\b" DENY

Similarly, customers can use the following CPL syntax to block all serialized Java objects in hexadecimal form:

<proxy>
http.request[name,value].regex="\xac\xed\x00\x05\x73\x72\x00" DENY

REFERENCES

Apache Commons Collections vulnerability (VU#576313) - <https://www.kb.cert.org/vuls/id/576313&gt;
Apache Commons statement - <https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread&gt;

REVISION

2020-04-20 A fix for Content Analysis (CA) 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for Cloud Data Protection (CDP) for Oracle CRM on Demand will not be provided. Advisory status moved to Closed.
2019-10-02 Web Isolation is not vulnerable.
2019-09-26 A fix ASG 6.7 is available in 6.7.4.9. CA 2.4 is not vulnerable because a fix is available in 2.4.1.1.
2019-08-20 A fix for IntelligenceCenter (IC) 3.3 and IntelligenceCenter Data Collector (DC) 3.3 will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the vulnerability fixes.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-02-04 A fix for CA 1.3 and 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CAS 2.3 has a vulnerable version of the Apache Commons Collections and Spring Framework libraries, but is not vulnerable to known vectors of attack.
2017-11-17 CAS 2.2 has a vulnerable version of the Apache Commons Collections and Spring Framework libraries, but is not vulnerable to known vectors of attack.
2017-11-06 ASG 6.7 has vulnerable versions of the Apache Commons Collections and Spring Framework libraries. It does not use Java binary deserialization and is not vulnerable to known vectors of attack.
2017-07-20 MC 1.10 is not vulnerable.
2017-05-17 CAS 2.1 has a vulnerable version of the Apache Commons Collections and Spring Framework libraries. CDP for Salesforce 4.12, CDP for ServiceNow 4.12, and CDP Communication Server 4.12 are not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-06 MC 1.8 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-11-28 A fix for CDP 4.6 is available in 4.6.6. A fix for CDP 4.7 is available in 4.7.6.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable. Fixes will not be provided for CDP-SFDC 2.4, CDP-SFDC 2.5, CDP-SFDC 4.5, CDP-OSC 4.8, and CDP-COMMSVR 4.5.
2016-09-22 MC 1.7 is not vulnerable. A fix will not be provided for MC 1.5. Please upgrade to a later version with the vulnerability fixes.
2016-07-13 MC 1.6 is not vulnerable because a fix is available in 1.6.1.1. A fix will not be provided for MC 1.4. Please upgrade to a later version with the vulnerability fixes.
2016-07-15 All components of CDP 4.9 are not vulnerable because the fixes are available in 4.9.1. A fix for XOS 10.0 is available in 10.0.6. A fix for XOS 11.0 is available in 11.0.2.
2016-05-11 CDP for Salesforce, Salesforce Analytics, ServiceNow, Oracle CRM On Demand, and Oracle Sales Cloud are vulnerable. CDP Communication Server and Policy Builder are also vulnerable. CDP Integration Server is under investigation.
2016-04-25 MTD 1.1 has vulnerable versions of Apache Commons Collections and Spring Framework. A fix for Apache Commons Collections is available in MTD 1.1.2.1. ASG and CAS also have vulnerable versions of Spring Framework.
2016-04-22 PacketShaper S-Series and PolicyCenter S-Series are not vulnerable.
2016-04-15 Fixes will not be provided for CAS 1.1 and 1.2. Please upgrade to a later version with the vulnerability fixes.
2016-02-08 X-Series XOS contains a vulnerable version of Apache Commons Collections. It does not accept serialized Java objects from remote sources and thus is not known to be vulnerable.
2016-02-03 Reporter 10.1 does not contain the Apache Commons Collections library and is therefore not vulnerable
2016-02-03 Reporter 10.1 is vulnerable
2016-01-29 initial public release