SA113 : January 2016 NTP Security Vulnerabilities

SUMMARY

Blue Coat products using affected versions of the NTP software distribution from ntp.org are susceptible to multiple vulnerabilities. A remote attacker may exploit these vulnerabilities to set the victim’s system time to an arbitrary value or cause it to become out of sync. The attacker can also cause denial of service through application crashes and perform unauthorized modifications to the victim’s NTP daemon configuration and other files on the local file system.

AFFECTED PRODUCTS

The following products are vulnerable:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2015-8158 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
6.6 | Upgrade to 6.6.5.4.
All CVEs except CVE-2015-8139,
CVE-2015-8140, CVE-2015-8158 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
6.6 (not vulnerable to known vectors of attack) | Upgrade to 6.6.5.4.
CVE-2015-8139, CVE-2015-8140 | 6.6 and later (not vulnerable to known vectors of attack) | A fix will not be provided. ASG does not enable remote NTP configuration.

Content Analysis System (CAS)

CVE |Affected Version(s)|Remediation
All CVEs except CVE-2015-8139,
CVE-2015-8140 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1
1.2 | Upgrade to later release with fixes.
CVE-2015-8138 | 1.3 | Upgrade to 1.3.6.1.
CVE-2015-5300 | 1.3 (not vulnerable to known vectors of attack) | Upgrade to 1.3.6.1.
CVE-2015-8158 | 1.3 | Upgrade to 1.3.7.3.
CVE-2015-7973, CVE-2015-7974,
CVE-2015-7975, CVE-2015-7976,
CVE-2015-7977, CVE-2015-7978,
CVE-2015-7979 | 1.3 (not vulnerable to known vectors of attack) | Upgrade to 1.3.7.3.
CVE-2015-8139, CVE-2015-8140 | 1.2 and later (not vulnerable to known vectors of attack) | A fix will not be provided. ASG does not enable remote NTP configuration.

Director

CVE |Affected Version(s)|Remediation
All CVEs except for CVE-2015-7975,
CVE-2015-8138, CVE-2015-8139,
CVE-2015-8140 | 6.1 | Upgrade to 6.1.22.1.
CVE-2015-8139, CVE-2015-8140 | 6.1 | A fix will not be provided. Director by default does not enable remote NTP configuration.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2015-8158 | 1.1 | Upgrade to a version of CAS and SMG with the fixes.

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2015-5300, CVE-2015-8138 | 1.6 and later | Not vulnerable, fixed in 1.6.1.1
1.5 | Upgrade to 1.5.3.1.
CVE-2015-8158 | 1.8 and later | Not vulnerable, fixed in 1.8.1.1
1.7 | Upgrade to 1.7.2.1.
1.5, 1.6 | Upgrade to later release with fixes.
All CVEs except CVE-2015-5300,
CVE-2015-8138, CVE-2015-8139,
CVE-2015-8140, CVE-2015-8158 | 1.8 and later | Not vulnerable, fixed in 1.8.1.1
1.7 | Upgrade to 1.7.2.1.
1.5, 1.6 | Upgrade to later release with fixes.
CVE-2015-8139, CVE-2015-8140 | 1.8 and later | Not vulnerable, fixed in 1.8.1.1
1.7 (not vulnerable to known vectors of attack) | Upgrade to 1.7.2.1
1.5, 1.6 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.

Reporter

CVE |Affected Version(s)|Remediation
CVE-2015-5300, CVE-2015-8138 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.4.1.
CVE-2015-7973, CVE-2015-7976 | 10.5 and later | Not vulnerable, fixed in 10.5.1.1
10.3, 10.4 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
10.2 | Not vulnerable, fixed in 10.2.1.1
10.1 (not vulnerable to known vectors of attack) | Upgrade to 10.1.5.1
CVE-2015-8158 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.5.1.
CVE-2015-8139, CVE-2015-8140 | 10.1 and later | A fix will not be provided. Reporter does not enable remote NTP configuration.
CVE-2015-7974, CVE-2015-7977,
CVE-2015-7978, CVE-2015-7979 | 10.1 (not vulnerable to known vectors of attack) | Upgrade to 10.1.5.1.
All CVEs | 9.4, 9.5 | Not vulnerable

Security Analytics

CVE |Affected Version(s)|Remediation
All CVEs except CVE-2015-7973, CVE-2015-7976, CVE-2015-8139 and CVE-2015-8140 | 7.3 and later | Not vulnerable, fixed in 7.3.1.
7.2 | Upgrade to 7.2.2.
CVE-2015-8139, CVE-2015-8140 | 7.2 and later | A fix will not be provided. SA by default does not enable NTP remote configuration.
CVE-2015-7973, CVE-2015-7976 | 8.1, 8.2 | Not available at this time
8.0, 7.3 starting with 7.3.2 | Upgrade to later release with fixes.
7.2, 7.3.1 | Not vulnerable, fixed in 7.2.1.
All CVEs except CVE-2015-7973, and CVE-2015-7976 | 7.2 | Not vulnerable, fixed in 7.2.1.
CVE-2015-5300, CVE-2015-8138 | 7.1 | Upgrade to 7.1.11.
7.0 | Upgrade to later release with fixes.
6.6 | Upgrade to 6.6.12.
CVE-2015-7973, CVE-2015-7974,
CVE-2015-7976, CVE-2015-7977,
CVE-2015-7978, CVE-2015-7979,
CVE-2015-8139,
CVE-2015-8158 | 7.1 | Apply patch RPM from customer support.
7.0 | Upgrade to later release with fixes.
6.6 | Apply patch RPM from customer support.
CVE-2015-8140 | 6.6, 7.0, 7.1 | A fix will not be provided. SA by default does not enable NTP remote configuration.

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
All CVEs | 3.11 and later | Not vulnerable, fixed in 3.11.1.1
CVE-2015-5300 | 3.10 | Upgrade to 3.10.2.1.
3.9 | Upgrade to 3.9.3.1.
3.8, 3.8.4FC | Upgrade to later release with fixes.
CVE-2015-7974, CVE-2015-8138 | 3.10 | Upgrade to 3.10.2.1.
3.9 | Upgrade to 3.9.7.1.
3.8, 3.8.4FC | Upgrade to later release with fixes.

Web Isolation (WI)

CVE |Supported Version(s)|Remediation
CVE-2015-8139, CVE-2015-8140 | 1.12 and later (not vulnerable to known vectors of attack) | A fix will not be provided. WI by default does not enable NTP remote querying and configuration.

X-Series XOS

CVE |Affected Version(s)|Remediation
All CVEs except CVE-2015-7975 | 9.7, 10.0, 11.0 | A fix will not be provided.

ADDITIONAL PRODUCT INFORMATION

In SSL Visibility, the NTP vulnerabilities can be exploited only through the same physical network port that is used by the product's management interfaces (web UI, CLD). Limiting the machines, IP addresses and subnets able to reach this physical network port reduces the threat. The reduced threat reduces the CVSS v2 scores for each CVE. The adjusted CVSS v2 base scores and severity are:

• CVE-2015-5300 - 2.9 (LOW) (AV:A/AC:M/Au:N/C:N/I:P/A:N)
• CVE-2015-7974 - 1.4 (LOW) (AV:A/AC:H/Au:S/C:N/I:P/A:N)
• CVE-2015-8138 - 4.8 (MEDIUM) (AV:A/AC:L/Au:N/C:N/I:P/A:P)

Blue Coat products do not enable or use all functionality within the NTP software distribution from ntp.org. Products listed below do not utilize the functionality described in the CVEs below, and are thus not known to be vulnerable to them. However, fixes for those CVEs will be included in the patches that are provided.

• ASG 6.6: CVE-2015-5300, CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8139, and CVE-2015-8140.
• ASG 6.7: CVE-2015-8139 and CVE-2015-8140
• CAS: CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, and CVE-2015-8140.
• MTD: CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, and CVE-2015-8140.
• MC: CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, and CVE-2015-8140.
• Reporter 10.1: CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, and CVE-2015-8140.
• SSLV 3x: CVE-2015-7973, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, CVE-2015-8140, and CVE-2015-8158.
• SSLV 4.x: CVE-2015-8139, CVE-2015-8140

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis Appliance
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Unified Agent
WSS Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2015-5300

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 77312 / NVD: CVE-2015-5300 Impact| Unauthorized modification of system time Description | A flaw in ntpd allows a remote attacker to adjust the victim’s system time by an offset larger than the ntpd panic threshold. The attacker can effectively set the victim’s system time to an arbitrary value.

CVE-2015-7973

Severity / CVSSv2 | Medium / 4.3 (AV:A/AC:M/Au:N/C:N/I:P/A:P) References| SecurityFocus: BID 81963 / NVD: CVE-2015-7973 Impact| Unauthorized modification of system time Description | A flaw in the NTP protocol broadcast mode allows a man-in-the-middle or a malicious broadcast client to replay time packets to broadcast clients. This attack can cause the victim’s system time to become out of sync.

CVE-2015-7974

Severity / CVSSv2 | Low / 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) References| SecurityFocus: BID 81960 / NVD: CVE-2015-7974 Impact| Unauthorized modification of system time Description | A flaw in ntpd allows a remote malicious trusted NTP client or server to impersonate a different trusted NTP client or server and modify time packets. This attack can cause the victim’s system time to become out of sync.

CVE-2015-7975

Severity / CVSSv2 | Low / 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 81959 / NVD: CVE-2015-7975 Impact| Denial of service Description | A flaw in ntpq allows a remote attacker to send a crafted response to ntpq and cause it to crash, resulting in denial of service.

CVE-2015-7976

Severity / CVSSv2 | Medium / 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) References| SecurityFocus: NVD: CVE-2015-7976 Impact| Unauthorized modification of data Description | A flaw in ntpd allows a remote attacker to send a crafted “saveconfig” command to ntpd, causing it to modify files on the local filesystem.

CVE-2015-7977

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 81815 / NVD: CVE-2015-7977 Impact| Denial of service Description | A flaw in ntpd allows a remote attacker to send a crafted “ntpdc reslist” command to ntpd. This attack causes ntpd to dereference a NULL pointer and crash, resulting in denial of service.

CVE-2015-7978

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 81962 / NVD: CVE-2015-7978 Impact| Denial of service Description | A flaw in ntpd allows a remote attacker to send a crafted “ntpdc reslist” command to ntpd. This attack causes ntpd to exhaust its call stack and crash, resulting in denial of service.

CVE-2015-7979

Severity / CVSSv2 | Medium / 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P) References| SecurityFocus: BID 81816 / NVD: CVE-2015-7979 Impact| Denial of service Description | A flaw in the NTP protocol broadcast mode allows a remote attacker to send bad authentication packets to broadcast clients. This attack causes the clients to stop synchronizing their system time from the broadcast server, which causes their time to become out of sync and results in denial of service.

CVE-2015-8138

Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P) References| SecurityFocus: BID 81811 / NVD: CVE-2015-8138 Impact| Denial of service, unauthorized modification of system time Description | A flaw in ntpd allows a remote attacker to send a forged time packet to an NTP client. This attack causes the client to set its system time to an arbitrary value or stop synchonizing its time from the NTP server.

CVE-2015-8139

Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) References| SecurityFocus: BID 82105 / NVD: CVE-2015-8139 Impact| Unauthorized modification of system time Description | A flaw in ntpd allows a remote attacker to obtain timestamp information from an NTP client and use the information to send a forged time packet to the client. This attack can cause the client to set its system time to an arbitrary value.

CVE-2015-8140

Severity / CVSSv2 | Medium / 5.4 (AV:A/AC:M/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 82102 / NVD: CVE-2015-8140 Impact| Unauthorized modification of data Description | A flaw in the ntpq protocol that allows replay attacks allows a remote attacker can sniff an ntpq configuration command and replay it at a later time, modifying the victim’s ntpd configuration in an unexpected way.

CVE-2015-8158

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 81814 / NVD: CVE-2015-8158 Impact| Denial of service Description | A flaw in ntpq and ntpdc allows an attacker to send a crafted response to ntpq or ntpdc and force them to enter an infinite loop. This attack results in denial of service.

MITIGATION

These vulnerabilities can be exploited only through the management network port for CAS, Director, MC, and XOS. Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities.

By default, Director, Security Analytics and XOS do not run ntpd with the -g command line option, and do not enable NTP broadcast mode, symmetric authentication, remote querying, and remote configuration. Customers who leave these NTP features disabled prevent attacks against these products using the following vulnerabilities:

• Director and Security Analytics: CVE-2015-5300, CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, CVE-2015-8140.
• XOS: CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, CVE-2015-8140.

REFERENCES

NTP Project Security Notice - <https://support.ntp.org/bin/view/Main/SecurityNotice&gt;
Attacking the Network Time Protocol (technical paper) - <https://www.cs.bu.edu/~goldbe/NTPattack.html&gt;
Attacking NTP’s Authenticated Broadcast Mode - <https://www.cs.bu.edu/~goldbe/papers/NTPbroadcast.html&gt;

REVISION

2021-08-27 WSS Agent is not vulnerable.
2020-11-17 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided.
2020-04-23 A fix for CVE-2015-7973 and CVE-2015-7976 in Reporter 10.3 will not be provided. Please upgrade to a larger release with the vulnerability fixes. Reporter 10.5 is not vulnerable to CVE-2015-7973 and CVE-2015-7976 because a fix is available in 10.5.1.1.
2019-10-07 WI 1.12 and 1.13 have vulnerable versions of the NTP software distribution from ntp.org for CVE-2015-8139 and CVE-2015-8140, but do not enable remote querying and configuration in ntpd, so they are not vulnerable to known vectors of attack. Fixes will not be provided.
2019-08-28 Reporter 10.3 and 10.4 have vulnerable versions of the NTP software distribution from ntp.org, but are not vulnerable to known vectors of attack.
2019-01-21 SA 7.3 starting with 7.3.2 and 8.0 are vulnerable to CVE-2015-7973 and CVE-2015-7976. SA 8.0 is vulnerable to CVE-2015-8139 and CVE-2015-8140. By default, SA 8.0 does not enable NTP remote configuration.
2019-01-18 SSLV 4.x is not vulnerable to CVE-2015-8139 and CVE-2015-8140 because a fix is available in 4.0.2.1.
2018-04-22 CAS 2.3 has a vulnerable version of the NTP software distribution from ntp.org, but is not vulnerable to known vectors of attack. A fix for CVE-2015-8139 and CVE-2015-8140 will not be provided. CAS 2.3 does not enable remote configuration in the NTP reference implementation and is not vulnerable to known vectors of attack for CVE-2015-8139 and CVE-2015-8140.
2017-11-08 CAS 2.2 has a vulnerable version of the NTP software distribution from ntp.org, but is not vulnerable to known vectors of attack. A fix for CVE-2015-8139 and CVE-2015-8140 will not be provided. CAS 2.2 does not enable remote configuration in the NTP reference implementation and is not vulnerable to known vectors of attack for CVE-2015-8139 and CVE-2015-8140.
2017-11-07 MC 1.8 and later releases have a vulnerable version of the NTP software distribution from ntp.org for CVE-2015-8139 and CVE-2015-8140. A fix will not be provided. MC does not enable remote configuration in the NTP. reference implementation and is not vulnerable to known vectors of attack for CVE-2015-8139 and CVE-2015-8140
2017-11-06 ASG 6.7 has a vulnerable version of the NTP software distribution from ntp.org for CVE-2015-8139 and CVE-2015-8140. A fix will not be provided. ASG 6.7 does not enable remote configuration in the NTP reference implementation and is not vulnerable to known vectors of attack for CVE-2015-8139 and CVE-2015-8140.
2017-11-04 It was previously reported that SSLV 4.0 and 4.1 are not vulnerable. Futher investigtion indicates that SSLV 4.x has a vulnerable version of the NTP software distribution from ntp.org for CVE-2015-8139 and CVE-2015-8140. Fixes will not be provided. SSLV 4.x does not enable remote configuration and is not vulnerable to known vectors of attack.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-20 MC 1.10 has a vulnerable version of the NTP software distribution from ntp.org, but is not vulnerable to known vectors of attack. A fix for CVE-2015-8139 and CVE-2015-8140 in MC 1.9 will not be provided. MC 1.9 does not enable remote configuration in the NTP. reference implementation and is not vulnerable to known vectors of attack for CVE-2015-8139 and CVE-2015-8140.
2017-07-18 A fix for CVE-2015-8139 and CVE-2015-8140 will not be provided for ASG, CA, Director, MC, Reporter, and Security Analytics. These products do not enable remote configuration in the NTP reference implementation and are not vulnerable to known vectors of attack.
2017-06-22 Security Analytics 7.3 is vulnerable to CVE-2015-8139 and CVE-2015-8140.
2017-05-17 CAS 2.1 has a vulnerable version of the NTP software distribution from ntp.org, but is not vulnerable to known vectors of attack.
2017-03-30 MC 1.8 and 1.9 have a vulnerable version of the NTP software distribution from ntp.org, but are not vulnerable to known vectors of attack.
2017-03-29 A fix for all CVEs except CVE-2015-8139 and CVE-2015-8140 in ASG 6.6 is available in 6.6.5.4.
2017-03-16 A fix for all CVEs in SSLV 3.10 is available in 3.10.2.1.
2017-03-08 A fix for all CVEs except CVE-2015-8139 and CVE-2015-8140 in Director is available in 6.1.22.1.
2017-03-06 MC 1.8 is not vulnerable. SSLV 4.0 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2017-01-25 A fix for all CVEs except CVE-2015-8139 and CVE-2015-8140 in SA 7.2 is available in 7.2.2.
2017-01-24 A fix for all CVEs except CVE-2015-8139 and CVE-2015-8140 in CAS 1.3 is available in 1.3.7.3.
2017-01-13 A fix for all CVEs in SSLV 3.9 is available in 3.9.7.1.
2017-01-10 A fix for all CVEs except for CVE-2015-8139 and CVE-2015-8140 in Reporter 10.1 is available in 10.1.5.1.
2016-12-04 A fix is available in SSLV 3.11.1.1.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-14 A fix for all CVEs except CVE-2015-8139 and CVE-2015-8140 is available in MC 1.7.2.1.
2016-11-11 SSLV 3.10 is vulnerable to CVE-2015-7974 and CVE-2015-8138. A fix is not available at this time.
2016-11-08 A fix for all CVEs except CVE-2015-8140 in Security Analytics 6.6 and 7.1 is available through a patch RPM from Blue Coat Support. SA 7.2 is vulnerable to CVE-2015-7973, CVE-2015-7976, and CVE-2015-8140.
2016-10-26 MC 1.6 and 1.7 are vulnerable to CVE-2015-8158. They also have vulnerable code for multiple CVEs, but are not vulnerable to known vectors of attack. See Advisory Details section for a list of CVEs. A fix will not be provided for MC 1.6. Please, upgrade to a later version with the vulnerability fixes.
2016-07-18 A fix for CVE-2015-7974, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, and CVE-2015-8158 in Security Analytics 6.6 and 7.1 is available through a patch RPM from customer support. A fix for the other CVEs is not available at this time.
2016-06-23 A fix for CVE-2015-5300 and CVE-2015-8138 is available in ASG 6.6.4.1.
2016-05-17 A fix for CVE-2015-5300 and CVE-2015-8138 is available in Security Analytics 6.6.12 and 7.1.11.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-24 MTD 1.1 is vulnerable to CVE-2015-8158. It also have vulnerable code for a number of CVEs, but is not vulnerable to known vectors of attack.
2016-04-01 A fix for CVE-2015-5300 and CVE-2015-8138 in Reporter 10.1 is available in 10.1.4.1.
2016-03-28 Previously it was reported that SSLV has vulnerable code for CVE-2015-7975. Further investigation has shown that SSLV is not vulnerable to this CVE.
2016-03-14 A fix for CVE-2015-5300 and CVE-2015-8138 in CAS 1.3 is available in 1.3.6.1. A fix for CVE-2015-5300 and CVE-2015-8138 in MC 1.5 is available in 1.5.3.1.
2016-03-03 initial public release