SA117 : OpenSSL Vulnerabilities 1-Mar-2016

SUMMARY

Blue Coat products using affected versions of OpenSSL are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to decrypt live and recorded SSL sessions, cause denial of service through application crashes, and possibly execute arbitrary code. A local, authenticated attacker can also recover RSA private keys.

AFFECTED PRODUCTS

The following products are vulnerable:

Advanced Secure Gateway

CVE |Affected Version(s)|Remediation
CVE-2016-0797, CVE-2016-0799,
CVE-2016-2842 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
6.6 | Upgrade to 6.6.5.4.
CVE-2016-0705, CVE-2016-0798 | 6.7 | Not vulnerable, fixed in 6.7.2.1
6.6 (not vulnerable to known vectors of attack) | Upgrade to 6.6.5.13.
CVE-2015-0800 | 6.6 and later (only when SSLv2 enabled for management console, forward proxy, or reverse proxy) | See Mitigation section for instructions to disable SSLv2.

Android Mobile Agent

CVE |Affected Version(s)|Remediation
CVE-2016-0797, CVE-2016-0799,
CVE-2016-2842 | 1.3 | Upgrade to 1.3.8.

BCAAA

CVE |Affected Version(s)|Remediation
CVE-2016-0702, CVE-2016-0705,
CVE-2016-0797, CVE-2016-0799,
CVE-2016-2842 | 6.1 (only when a Novell SSO realm is used) | An updated Novell SSO SDK is no longer available. Please, contact Novell for more information.

CacheFlow

CVE |Affected Version(s)|Remediation
CVE-2016-0797, CVE-2016-0799,
CVE-2016-2842 | 3.4 | Upgrade to 3.4.2.7.
CVE-2016-0705, CVE-2016-0798 | 3.4 (not vulnerable to known vectors of attack) | Upgrade to 3.4.2.8.
CVE-2015-0800 | 3.4 | See Mitigation section for instructions to disable SSLv2.

Client Connector

CVE |Affected Version(s)|Remediation
CVE-2016-0702, CVE-2016-0797,
CVE-2016-0799, CVE-2016-2842 | 1.6 | Upgrade to latest release of Unified Agent with fixes.

Content Analysis System

CVE |Affected Version(s)|Remediation
CVE-2016-0705, CVE-2016-0797,
CVE-2016-0799, CVE-2016-2842 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1
1.3 | Upgrade to 1.3.7.1.
1.2 | Upgrade to later release with fixes.
CVE-2015-0800 | 1.2 and later (secure ICAP server) | See Mitigation section for instructions to disable SSLv2.
1.3 (management console) | Not vulnerable, fixed in 1.3.1.1
1.2 (management console) | Upgrade to 1.2.4.5.

Director

CVE |Affected Version(s)|Remediation
CVE-2016-0702, CVE-2016-0797,
CVE-2016-0799, CVE-2016-0800,
CVE-2016-2842 | 6.1 | Upgrade to 6.1.22.1.

IntelligenceCenter

CVE |Affected Version(s)|Remediation
CVE-2016-0702, CVE-2016-0705,
CVE-2016-0797, CVE-2016-0798,
CVE-2016-0799, CVE-2016-0800,
CVE-2016-2842 | 3.3 | Upgrade to a version of NetDialog NetX with fixes.

Mail Threat Defense

CVE |Affected Version(s)|Remediation
CVE-2016-0705, CVE-2016-0797 | 1.1 | Upgrade to 1.1.2.1.
CVE-2016-0702, CVE-2016-0800 | 1.1 (not vulnerable to known vectors of attack) | Upgrade to 1.1.2.1.
CVE-2016-0799, CVE-2016-2842 | 1.1 | Not available at this time

Malware Analysis Appliance

CVE |Affected Version(s)|Remediation
CVE-2016-0702, CVE-2016-0797,
CVE-2016-0799, CVE-2016-2842 | 4.2 | Upgrade to 4.2.9.

Management Center

CVE |Affected Version(s)|Remediation
CVE-2016-0799, CVE-2016-2842 | 1.6 and later | Not vulnerable, fixed in 1.6.1.1
1.5 | Upgrade to later release with fixes.

Norman Shark Industrial Control System Protection

CVE |Affected Version(s)|Remediation
CVE-2016-0797, CVE-2016-0799,
CVE-2016-2842 | 5.4 and later | Not vulnerable, fixed in 5.4.1
5.3 | Upgrade to 5.3.6.

Norman Shark Network Protection

CVE |Affected Version(s)|Remediation
CVE-2016-0797, CVE-2016-0799,
CVE-2016-2842 | 5.3 | Upgrade to 5.3.6.

Norman Shark SCADA Protection

CVE |Affected Version(s)|Remediation
CVE-2016-0797, CVE-2016-0799,
CVE-2016-2842 | 5.3 | Upgrade to 5.3.6.

PacketShaper

CVE |Affected Version(s)|Remediation
CVE-2016-0797, CVE-2016-0799,
CVE-2016-2842 | 9.2 | Upgrade to 9.2.13p2.

PacketShaper S-Series

CVE |Affected Version(s)|Remediation
All CVEs | 11.6 and later | Not vulnerable, fixed in 11.6.1.1
CVE-2016-0702, CVE-2016-0705,
CVE-2016-0797, CVE-2016-0800 | 11.5 | Upgrade to 11.5.3.1.
CVE-2016-0799, CVE-2016-2842 | 11.5 | Upgrade to 11.5.3.2.
All CVEs | 11.2, 11.3, 11.4 | Upgrade to later release with fixes.

PolicyCenter

CVE |Affected Version(s)|Remediation
CVE-2016-0797, CVE-2016-0799,
CVE-2016-2842 | 9.2 | Upgrade to 9.2.13p2.

PolicyCenter S-Series

CVE |Affected Version(s)|Remediation
CVE-2016-0702, CVE-2016-0705,
CVE-2016-0797, CVE-2016-0800 | 1.1 | Upgrade to 1.1.2.1.
CVE-2016-0799, CVE-2016-2842 | 1.1 | Upgrade to 1.1.2.2.

ProxyAV

CVE |Affected Version(s)|Remediation
CVE-2016-0703, CVE-2016-0704,
CVE-2016-0705, CVE-2016-0797,
CVE-2016-0799, CVE-2016-2842 | 3.5 | Upgrade to 3.5.4.2.
CVE-2016-0800 | 3.5 | See Mitigation section for instructions to disable SSLv2.

ProxyClient

CVE |Affected Version(s)|Remediation
CVE-2016-0702, CVE-2016-0797,
CVE-2016-0799, CVE-2016-2842 | 3.4 | Upgrade to latest release of Unified Agent with fixes.

ProxySG

CVE |Affected Version(s)|Remediation
All CVEs except CVE-2016-0800 | 6.7 and later | Not vulnerable, fixed in 6.7.1.1
CVE-2016-0800 | 6.5 and later (only when SSLv2 enabled for management console, forward proxy, or reverse proxy) | See Mitigation section for instructions to disable SSLv2.
CVE-2016-0702, CVE-2016-0797 | 6.6 | Upgrade to 6.6.4.3.
6.5 | Upgrade to 6.5.9.8.
CVE-2016-0799, CVE-2016-2842 | 6.6 | Upgrade to 6.6.4.1.
6.5 | Upgrade to 6.5.9.8.
CVE-2016-0705, CVE-2016-0798 | 6.6 (not vulnerable to known vectors of attack) | Upgrade to 6.6.5.13.
6.5 (not vulnerable to known vectors of attack) | Upgrade to 6.5.10.4.

Reporter

CVE |Affected Version(s)|Remediation
CVE-2016-0702 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 (not vulnerable to known vectors of attack) | Upgrade to 10.1.4.1.
9.5 | Upgrade to 9.5.3.1.
9.4 | Upgrade to later release with fixes.
CVE-2016-0703, CVE-2016-0704 | 10.1 and later | Not vulnerable, fixed in 10.1.1.1
9.5 | Upgrade to 9.5.3.1.
9.4 | Upgrade to later release with fixes.
CVE-2016-0705 | 10.2 | Not vulnerable, fixed in 10.2.1.1
10.1 (not vulnerable to known vectors of attack) | Upgrade to 10.1.4.1.
9.5 (not vulnerable to known vectors of attack) | Upgrade to 9.5.3.1.
9.4 | Not vulnerable
CVE-2016-0797 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.4.1.
9.5 | Upgrade to 9.5.3.1.
9.4 | Upgrade to later release with fixes.
CVE-2016-0798 | 10.1 and later | Not vulnerable
9.5 (not vulnerable to known vectors of attack) | Upgrade to 9.5.3.1.
9.4 | Not vulnerable
CVE-2016-0799, CVE-2016-2842 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.4.2.
9.5 | Upgrade to 9.5.3.1.
9.4 | Upgrade to later release with fixes.
CVE-2016-0800 | 9.4, 9.5 | See Mitigation section for instructions to disable SSLv2.

Security Analytics

CVE |Affected Version(s)|Remediation
All CVEs | 7.2 and later | Not vulnerable, fixed in 7.2.1.
CVE-2016-0702, CVE-2016-0705,
CVE-2016-0797, CVE-2016-0798 | 7.1 | Upgrade to 7.1.11.
7.0 | Upgrade to later release with fixes.
6.6 | Upgrade to 6.6.12.
CVE-2016-0799, CVE-2016-2842 | 7.1 | Apply patch RPM from customer support.
7.0 | Upgrade to later release with fixes.
6.6 | Apply patch RPM from customer support.

SSL Visibility

CVE |Affected Version(s)|Remediation
CVE-2016-0797, CVE-2016-0799,
CVE-2016-2842 | 3.10 and later | Not vulnerable, fixed in 3.10.1.1
3.9 | Upgrade to 3.9.3.6
3.8.4FC | Upgrade to later release with fixes.
3.8 | Upgrade to later release with fixes.

Unified Agent

CVE |Affected Version(s)|Remediation
CVE-2016-0702, CVE-2016-0797,
CVE-2016-0799, CVE-2016-2842 | 4.7 and later | Not vulnerable, fixed in 4.7.1
4.6 | Upgrade to later release with fixes.
4.1 | Upgrade to later release with fixes.

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2015-0705, CVE-2016-0797 | 11.0 | Upgrade to 11.0.2
10.0 | Upgrade to 10.0.6
9.7 | Upgrade to later release with fixes.
CVE-2016-0703, CVE-2016-0704,
CVE-2016-0800 | 11.0 (not vulnerable to known vectors of attack) | 11.0.2
10.0 (not vulnerable to known vectors of attack) | 10.0.6
9.7 | Upgrade to later release with fixes.
CVE-2016-0702, CVE-2016-0799,
CVE-2016-2842 | 10.0, 11.0 | Not available at this time.
9.7 | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

Blue Coat products may act as both client and server in SSL/TLS connections, and may use application functionality for cryptographic operations. Blue Coat products act as a client when connecting to Blue Coat services such as WebPulse, DRTR, and licensing and subscription services. Products should be considered vulnerable in all interfaces that provide SSL/TLS connections for data and management interfaces unless the CVE is specific to SSL/TLS client or server functionality (as noted in the descriptions above) or unless otherwise stated below:

• ASG: CVE-2016-0800 (DROWN) only affects management connections, the forward proxy service, and the reverse proxy service.
• CacheFlow: CVE-2016-0800 (DROWN) only affects management connections.
• CAS: CVE-2016-0800 (DROWN) only affects management connections and connections to the secure ICAP server.
• **IntelligenceCenter:**CVE-2016-0800 (DROWN) only affects management connections.
• MTD: CVE-2016-0800 (DROWN) only affects management connections.
• **PacketShaper S-Series:**CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 (DROWN) only affect management connections.
• **PolicyCenter S-Series:**CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 (DROWN) only affect management connections.
• ProxyAV: CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 (DROWN) only affect management connections and connections to the secure ICAP server.
• ProxySG: CVE-2016-0800 (DROWN) affects management connections, the forward proxy service, and the reverse proxy service.
• XOS: CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 (DROWN) only affect management connections.

Blue Coat products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Blue Coat urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.

Blue Coat products do not enable or use all functionality within OpenSSL. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.

• ASG: CVE-2016-0702 (CacheBleed), CVE-2016-0705, and CVE-2016-0798
• Android Mobile Agent: CVE-2016-0705 and CVE-2016-0798
• CacheFlow: CVE-2016-0702 (CacheBleed), CVE-2016-0705, and CVE-2016-0798
• Client Connector for Windows: CVE-2016-0705
• CAS: CVE-2016-0702 (CacheBleed)
• MTD: CVE-2016-0702 (CacheBleed) and CVE-2016-0800 (DROWN)
• MAA: CVE-2016-0705 and CVE-2016-0798
• MC: CVE-2016-0702 (CacheBleed), CVE-2016-0705, and CVE-2016-0800 (DROWN).
• ICSP: CVE-2016-0705 and CVE-2016-0798
• NNP: CVE-2016-0705 and CVE-2016-0798
• NSP: CVE-2016-0705 and CVE-2016-0798
• PacketShaper: CVE-2016-0705 and CVE-2016-0798
• PolicyCenter: CVE-2016-0705 and CVE-2016-0798
• ProxyAV: CVE-2016-0702 (CacheBleed) and CVE-2016-0798
• ProxyClient for Windows: CVE-2016-0705
• ProxySG: CVE-2016-0705 and CVE-2016-0798
• Reporter: CVE-2016-0702 (9.4 and 9.5), CVE-2016-0705 (9.5 and 10.1), and CVE-2016-0798 (9.5 and 10.1)
• SSLV: CVE-2016-0702 (CacheBleed), CVE-2016-0705, and CVE-2016-0798
• Unified Agent: CVE-2016-0705 (4.1 and 4.6) and CVE-2016-0798 (4.6 only)
• XOS: CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 (DROWN)

The following products are not vulnerable:
AuthConnector
Blue Coat HSM Agent for the Luna SP
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
ProxyAV ConLog and ConLogXP
Web Isolation

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

The following products are under investigation:
**IntelligenceCenter Data Collector

**

ISSUES

CVE-2016-0702 (CacheBleed)

Severity / CVSSv2 | Low / 1.9 (AV:L/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: NVD: CVE-2016-0702 Impact| Information disclosure Description | A flaw in the modular exponentiation implementation allows a local attacker controlling a processing thread running on an Intel Sandy Bridge CPU hyper-threaded core to use cache bank conflicts to recover RSA keys from another thread performing RSA operations on the same CPU core.

CVE-2016-0703

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 83743 / NVD: CVE-2016-0703 Impact| Information disclosure Description | A flaw in the SSLv2 server module allows a remote man-in-the-middle (MITM) attacker to intercept an SSLv2 handshake and perform an oracle attack against the SSLv2 server to recover the session master secret. The attacker can use the master secret to decrypt and modify the encrypted data in the live SSLv2 session. This attack is a more efficient variant of the DROWN attack (CVE-2016-0800) that does not require the affected server to support export-grade cipher suites.

CVE-2016-0704

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 83764 / NVD: CVE-2016-0704 Impact| Information disclosure Description | A flaw in the SSLv2 server module allows a remote MITM attacker to intercept an SSLv2 handshake and perform an oracle attack against the SSLv2 server to recover the session master secret. The attacker can use the master secret to decrypt and modify the encrypted data in the live SSLv2 session. This attack is a more efficient variant of the DROWN attack (CVE-2016-0800) that does not require the affected server to support export-grade cipher suites.

CVE-2016-0705

Severity / CVSSv2 | High / 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) References| SecurityFocus: BID 83754 / NVD: CVE-2016-0705 Impact| Denial of service Description | A flaw in DSA private key parsing allows a remote attacker to send a malformed DSA private key to the target and cause memory corruption, resulting in an application crash and denial of service.

CVE-2016-0797

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 83763 / NVD: CVE-2016-0797 Impact| Denial of service, code execution Description | A flaw in large number binary conversion allows a remote attacker to send a large decimal or hexadecimal number to the target and cause memory corruption. This attack can result in denial of service through an application crash, or possible arbitrary code execution.

CVE-2016-0798

Severity / CVSSv2 | High / 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) References| SecurityFocus: BID 83705 / NVD: CVE-2016-0798 Impact| Denial of service Description | A flaw in SRP user lookups allows a remote attacker to connect to an SRP server with an invalid SRP user name and cause a memory leak on the server, resulting in an application crash and denial of service.

CVE-2016-0799

Severity / CVSSv2 | High / 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) References| SecurityFocus: BID 83755 / NVD: CVE-2016-0799 Impact| Denial of service Description | A flaw in string formatting during large string input/output allows a remote attacker to send a large string to the target and cause illegal memory accesses, resulting in an application crash and denial of service.

CVE-2016-0800 (DROWN)

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 83733 / NVD: CVE-2016-0800 Impact| Information disclosure Description | A padding oracle flaw in the SSLv2 protocol allows a remote attacker to decrypt passively captured sessions to a TLSv1.x server if the server uses the same RSA private key as a server that support SSLv2 and export-grade cipher suites.

CVE-2016-2842

Severity / CVSSv2 | High / 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) References| SecurityFocus: BID 84169 / NVD: CVE-2016-2842 Impact| Denial of service Description | A flaw in memory allocation during large string input/output allows a remote attacker to send a large string to the target and cause illegal memory accesses, resulting in an application crash and denial of service.

MITIGATION

Blue Coat’s ProxySG appliance can be used to prevent the DROWN attacks using CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800. Customers using ProxySG as a forward proxy can protect TLS servers by blocking SSLv2 flows. ProxySG 6.5 and 6.6 customers can use the following CPL syntax:

<SSL>
client.connection.negotiated_ssl_version=SSLV2 deny
<SSL>
server.connection.negotiated_ssl_version=SSLV2 deny

CVE-2016-0800 (DROWN) can be remediated on ASG and ProxySG by disabling SSLv2 for the HTTPS management console and reverse proxy service. SSLv2 cannot be disabled for HTTPS forward proxy deployments, but SSLv2 connections can be blocked using the CPL syntax above.

CVE-2016-0800 (DROWN) can be remediated on CacheFlow by ensuring that SSLv2 is disabled for the management console. Customers should use the following steps in config mode to limit the SSL/TLS versions used by the management console to TLSv1.1 and TLSv1.2:

management-services
edit HTTPS-Console
attribute ssl-versions tlsv1.1v1.2
exit
exit

CVE-2016-0800 (DROWN) can be remediated on CAS by ensuring that SSLv2 is disabled for the secure ICAP server. To view the enabled SSL/TLS protocols, access the CAS management console and navigate to the “Settings > ICAP” page. Deselect SSLv2 under “TLS Settings” and save the changes.

CVE-2016-0800 (DROWN) can be remediated on ProxyAV by disabling SSLv2 for SSL clients, the management console and the secure ICAP server. To view the enabled SSL/TLS protocols, access the ProxyAV management console. Navigate to “Advanced/SSL Client” for the SSL client settings, “Network” for the management console settings and “ICAP Settings” for the secure ICAP server settings. Deselect SSLv2 under “SSL protocols” and save the changes on each of these pages.

CVE-2016-0800 (DROWN) can be remediated on Reporter 9.5 by disabling SSLv2 for the management console. To view the enabled SSL/TLS protocols, access the /settings/preferences.cfg file in the Reporter 9.5 installation directory. Ensure that the following line is set to “false”:

ssl_v2="false"

By default Director does not enable SSLv2 for management connections. Customers who do not change this default behavior prevent attacks against Director using CVE-2016-0800 (DROWN).

REFERENCES

OpenSSL Security Advisory - <https://www.openssl.org/news/secadv/20160301.txt&gt;
DROWN: Breaking TLS using SSLv2 - <https://drownattack.com/&gt;
CacheBleed: A Timing Attack on OpenSSL Constant Time RSA - <http://ssrg.nicta.com.au/projects/TS/cachebleed/&gt;

REVISION

2020-04-22 Advisory status move to Closed.
2019-10-02 Web Isolation is not vulnerable.
2019-09-07 Updated vulnerability information for Reporter.
2019-08-20 A fix for IntelligenceCenter (IC) 3.3 will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the vulnerability fixes.
2018-09-24 A fix for SSLV 3.8.4FC will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CAS 2.3 is vulnerable to CVE-2016-0800 (DROWN) when SSLv2 is enabled for the secure ICAP server. A fix will not be provided. Disabling SSLv2 in the secure ICAP server prevents attacks using CVE-2016-0800 (DROWN). See Workarounds section for instructions how to disable SSLv2. PacketShaper S-Series 11.10 is not vulnerable.
2017-05-19 CAS 2.2 is vulnerable to CVE-2016-0800 (DROWN) when SSLv2 is enabled for the secure ICAP server. A fix will not be provided. Disabling SSLv2 in the secure ICAP server prevents attacks using CVE-2016-0800 (DROWN). See Workarounds section for instructions how to disable SSLv2.
2017-11-06 ASG 6.7 is vulnerable to CVE-2016-0800 (DROWN) when SSLv2 is enabled. A fix will not be provided. Disabling SSLv2 for the management console, forward proxy service, and reverse proxy service prevents attacks using CVE-2016-0800 (DROWN). See Workarounds section for instructions how to disable SSLv2.
2017-11-05 A fix for CVE-2015-0705 and CVE-2015-0798 in ASG 6.6 and ProxySG 6.6 is available in 6.6.5.13.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-21 Reporter 9.4, 9.5, and 10.1 are vulnerable to CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842. Reporter 9.4 and 9.5 are also vulnerable to CVE-2016-0702, CVE-2016-0703, CVE-2016-0704. Reporter 9.4 and 9.5 are also vulnerable to CVE-2016-0800 (DROWN) when SSLv2 is enabled for the management console. A fix for all CVEs except CVE-2016-0800 (DROWN) in Reporter 9.5 is available in 9.5.3. A fix for CVE-2016-0800 (DROWN) will not be provided. Disabling SSLv2 for the management console prevents attacks using CVE-2016-0800 (DROWN). See Workarounds section for instructions how to disable SSLv2. A fix for Reporter 10.1 is available in 10.1.4.2.
2017-07-20 MC 1.10 is not vulnerable.
2017-07-12 A fix for CVE-2016-0800 in CacheFlow will not be provided. Disabling SSLv2 for the management console prevents attacks using CVE-2016-0800 (DROWN). See Workarounds section for instructions how to disable SSLv2.
2017-06-30 A fix for the remaining CVE-2016-0705 and CVE-2016-0798 in ProxySG 6.5 is available in 6.5.10.4.
2016-06-30 A fix for ProxyAV 3.5 is available in 3.5.4.2.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-19 CAS 2.1 is vulnerable to CVE-2016-0800 (DROWN) when SSLv2 is enabled for the secure ICAP server. A fix will not be provided. Disabling SSLv2 in the secure ICAP server prevents attacks using CVE-2016-0800 (DROWN). See Workarounds section for instructions how to disable SSLv2.
2017-04-29 A fix for CVE-2016-0705 and CVE-2016-0798 in CacheFlow 3.4 is available in 3.4.2.8.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-29 A fix for all CVEs except CVE-2016-0705 and CVE-2016-0798 in ASG 6.6 is available in 6.6.5.4.
2017-03-06 MC 1.8 is not vulnerable. SSLV 4.0 is not vulnerable. ProxySG 6.7 is vulnerable to CVE-2016-0800 (DROWN) when SSLv2 is enabled for the management console, forward proxy service, or reverse proxy service. A fix will not be provided. Disabling SSLv2 for the management console, forward proxy service, and reverse proxy service prevents attacks using CVE-2016-0800 (DROWN).
2017-02-07 A fix for Android Mobile Agent is avaialble in 1.3.8.
2016-11-29 A fix for Director is available in 6.1.22.1. PacketShaper S-Series 11.7 is not vulnerable. SSLV 3.11 is not vulnerable. Customers should contact Digital Guardian regarding vulnerability information for DLP. A fix for CVE-2016-0800 (DROWN) will not be provided for ProxySG 6.5 and 6.6. Disabling SSLv2 for the management console, forward proxy service, and reverse proxy service prevents attacks using CVE-2016-0800 (DROWN). See Workarounds section for instructions how to disable SSLv2.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-11-03 MC 1.5 has vulnerable code for CVE-2016-0800 (DROWN), but is not vulnerable to known vectors of attack. A fix for MC 1.5 will not be provided. A fix for MC 1.6 is available in 1.6.1.1. MC 1.7 is not vulnerable.
2016-11-03 A fix for PacketShaper 9.2 is available in 9.2.13p2. A fix for PolicyCenter 9.2 is available in 9.2.13p2.
2016-08-19 A fix for CVE-2016-0702 (CacheBleed), CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842 in CacheFlow is available in 3.4.2.7.
2016-08-12 A fix for all CVEs except CVE-2016-0800 (DROWN) in CAS 1.3 is available in 1.3.7.1. A fix for CVE-2016-0800 (DROWN) will not be provided. Disabling SSLv2 in the secure ICAP server prevents attacks using CVE-2016-0800 (DROWN). See Workarounds section for instructions how to disable SSLv2. Security Analytics 7.2 is not vulnerable.
2016-08-10 A fix for Unified Agent is available in 4.7.1. CacheFlow 3.4 has vulnerable code for CVE-2016-0702 (CacheBleed), but is not vulnerable to known vectors of attack.
2016-07-25 Corrected the outstanding fixes for ProxySG 6.6 in the Patches section.
2016-07-23 A fix for CVE-2016-0702 and CVE-2016-0797 in ProxySG 6.6 is available in 6.6.4.3
2016-07-16 It was previously reported that XOS is vulnerable to CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 (DROWN). Further investigation has shown that XOS only has vulnerable code for those CVEs, but is not vulnerable to known vectors of attack. Fixes for CVE-2016-0703, CVE-2016-0704, CVE-2015-0705, CVE-2016-0797, and CVE-2016-0800 (DROWN) are available in XOS 10.0.6 and 11.0.2.
2016-06-30 PacketShaper S-Series 11.6 is not vulnerable.
2016-06-28 Fixes for PacketShaper S-Series 11.2, 11.3, and 11.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2016-06-27 A fix for Client Connector will not be provided. Please upgrade to the latest version of Unified Agent with the vulnerability fixes.
2016-06-24 A fix for all CVEs in PacketShaper S-Series is available in 11.5.3.2. A fix for all CVEs in PolicyCenter S-Series is available in 1.1.2.2.
2016-06-21 It was previously reported that a fix for CVE-2016-0702 (CacheBleed) and CVE-2016-0797 for ProxySG 6.6 is provided in 6.6.4.1. Further investigation has shown that ProxySG 6.6 is still vulnerable to these CVEs.
2016-06-21 A fix for CVE-2016-0702 (CacheBleed), CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842 in ProxySG 6.6 is available in 6.6.4.1. A fix for the other CVEs is not available at this time.
2016-06-14 A fix for SA 7.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-06-11 A fix for CVE-2016-0702 (CacheBleed), CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842 in ProxySG 6.5 is available in 6.5.9.8. A fix for the other CVEs is not available at this time.
2016-06-07 A fix for SSLV 3.9 is available in 3.9.3.6. No version of SSLV is vulnerable to CVE-2016-0800 (DROWN).
2016-06-03 A fix for MAA is available in 4.2.9.
2016-05-25 The remaining fixes for Security Analytics 6.6 and 7.1 are available through a patch RPM from Blue Coat Support.
2016-05-17 Security Analytics 6.6, 7.0 and 7.1 are vulnerable and partial fixes are available in 6.6.12 and 7.1.11.
2016-05-12 A fix for SSLV 3.8 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-28 Fixes for CVE-2016-0702 (CacheBleed), CVE-2016-0705, CVE-2016-0797, and CVE-2016-0800 (DROWN) are available in PS S-Series 11.5.3.1 and PC S-Series 1.1.2.1.
2016-04-25 MTD 1.1 is vulnerable to and has vulnerable code for multiple CVEs. A partial fix is available in MTD 1.1.2.1.
2016-04-21 PacketShaper S-Series and PolicyCenter S-Series are not vulnerable to CVE-2016-0703 and CVE-2016-0704.
2016-04-15 A fix will not be provided for CAS 1.2. Please upgrade to a later version with the vulnerability fixes.
2016-04-12 Updated CVSS v2 scores to match the scores in the National Vulnerability Database. Added CVE-2016-2842 as a vulnerability independent of CVE-2016-0799.
2016-03-07 initial public release