Lucene search

K
symantecSymantec Security ResponseSMNTC-1374
HistoryJul 07, 2016 - 8:00 a.m.

SA128 : Multiple PCRE Vulnerabilities

2016-07-0708:00:00
Symantec Security Response
18

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:P/A:C

SUMMARY

Blue Coat products that include vulnerable versions of the PCRE and GLib2 libraries are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to execute arbitrary code and obtain sensitive information. The attacker can also cause denial of service through application crashes, buffer overflows, integer overflows, and excessive CPU consumption.

AFFECTED PRODUCTS

The following products are vulnerable:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2015-8381, CVE-2015-8383,
CVE-2015-8384, CVE-2015-8389,
CVE-2015-8392, CVE-2015-8395,
CVE-2016-1283 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
6.6 (vulnerable) | Upgrade to 6.6.5.1.
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191 | 7.2 and later (not vulnerable to known vectors of attack) | Not available at this time
7.1 | Upgrade to later release with fixes.
6.6 (vulnerable) | Upgrade to 6.6.5.1.
CVE-2015-8380, CVE-2015-8391,
CVE-2015-8393 | 7.1 | Upgrade to later release with fixes.
6.7 starting with 6.7.4.2, 7.2 and later (not vulnerable to known vectors of attack) | Not available at this time
6.7 prior to 6.7.4.2 | Not vulnerable, fixed.
6.6 (vulnerable) | Upgrade to 6.6.5.1.

CacheFlow

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8387,
CVE-2015-8394 | 3.4 | Fixed in 3.4.2.9

Director

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8386 | 6.1 | Upgrade to a version of MC with the fixes.

Norman Shark Network Protection (NNP)

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8387, CVE-2015-8388,
CVE-2015-8390, CVE-2015-8393,
CVE-2015-8394 | 5.3 | Upgrade to 5.3.6.

ProxySG

CVE |Affected Version(s)|Remediation
All CVEs | 6.7 | Not vulnerable, fixed in 6.7.1.1.
6.6 | Upgrade to 6.6.5.1.
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191 | 6.5 | Upgrade to 6.5.9.11.

Security Analytics

CVE |Affected Version(s)|Remediation
CVE-2015-8380, CVE-2015-8385,
CVE-2015-8388, CVE-2015-8391,
CVE-2015-8392, CVE-2015-8393,
CVE-2016-3191 | 8.1, 8.2 | Not available at this time
7.3 starting with 7.3.2, 8.0 | Upgrade to later release with fixes.
7.3.1 | Not vulnerable, fixed.
7.2 | Upgrade to 7.2.2.
6.6, 7.1 | Not vulnerable
CVE-2015-8382, CVE-2015-8386,
CVE-2015-8387, CVE-2015-8390,
CVE-2015-8394 | 8.1, 8.2 | Not available at this time
7.3 starting with 7.3.2, 8.0 | Upgrade to later release with fixes.
7.3.1 | Not vulnerable, fixed
7.2 | Upgrade to 7.2.2.
6.6, 7.1 | Upgrade to later release with fixes.

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8388,
CVE-2016-3191 | 9.7, 10.0, 11.0 | A fix will not be provided.

The following products contain vulnerable versions of the PCRE or GLib2 libraries, but are not vulnerable to known vectors of attack:

Content Analysis System (CAS)

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191 | 2.4 and later | Not available at this time
1.3, 2.1, 2.2, 2.3 | Upgrade to later release with fixes.
CVE-2015-8380, CVE-2015-8391,
CVE-2015-8393 | 3.0 and later | Not available at this time
1.3, 2.2, 2.2, 2.3, 2.4 | Not vulnerable

Integrated Security Gateway (ISG)

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8391, CVE-2015-8393,
CVE-2015-8394, CVE-2016-3191 | 2.1, 2.2, 2.3 | Not available at this time

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191 | 1.1 | Upgrade to a version of CAS and SMG with the fixes.

Malware Analysis Appliance (MAA)

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8387, CVE-2015-8388,
CVE-2015-8390, CVE-2015-8393,
CVE-2015-8394 | 4.2 | Upgrade to 4.2.10.

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191 | 3.1 and later | Not available at this time
1.5 - 3.0 | Upgrade to later release with fixes.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8387, CVE-2015-8388,
CVE-2015-8390, CVE-2015-8393,
CVE-2015-8394 | 5.3 | Upgrade to 5.3.6.

Norman Shark SCADA Protection (NSP)

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8387, CVE-2015-8388,
CVE-2015-8390, CVE-2015-8393,
CVE-2015-8394 | 5.3 | Upgrade to 5.3.6.

PacketShaper (PS)

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8386,
CVE-2015-8387, CVE-2015-8390,
CVE-2015-8394 | 9.2 | Allot Secure Service Gateway (SSG) is a replacement product for PacketShaper. Switch to a version of SSG with the vulnerability fixes.

PacketShaper (PS) S-Series

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191 | 11.2 and later | Allot Secure Service Gateway (SSG) is a replacement product for PacketShaper S-Series. Switch to a version of SSG with the vulnerability fixes.

PolicyCenter (PC)

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8386,
CVE-2015-8387, CVE-2015-8390,
CVE-2015-8394 | 9.2 | Allot NetXplorer is a replacement product for PolicyCenter. Switch to a version of NetXplorer with the vulnerability fixes.

PolicyCenter (PC) S-Series

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191 | 1.1 | Allot NetXplorer is a replacement product for PolicyCenter S-Series. Switch to a version of NetXplorer with the vulnerability fixes.

Reporter

CVE |Affected Version(s)|Remediation
CVE-2015-8380, CVE-2015-8391,
CVE-2015-8393 | 10.5, 10.6 | Not available at this time
10.3, 10.4 | Upgrade to later release with fixes.
10.1, 10.2 | Not vulnerable
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191 | 10.5 | Not available at this time
10.1, 10.2, 10.3, 10.4 | Upgrade to later release with fixes.
9.4, 9.5 | Not vulnerable

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191 | 4.5 | Not available at this time
4.0 - 4.4, 5.0 | Upgrade to later release with fixes.
CVE-2015-8380, CVE-2015-8391,
CVE-2015-8393 | 5.0 | Upgrade to later release with fixes.
4.5 | Not available at this time
4.0 - 4.4 | Not vulnerable
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8387, CVE-2015-8390,
CVE-2015-8393, CVE-2015-8394
| 3.10 and later | Not vulnerable, fixed in 3.10.1.1
3.9 | Upgrade to 3.9.4.1.
3.8.4FC | Upgrade to later releases with fixes.

ADDITIONAL PRODUCT INFORMATION

ASG has multiple instances of the PCRE library. ASG is vulnerable prior to 6.6.5.1. The vulnerabilities are only exploitable in ASG when a malicious authenticated administrator with write access adds crafted regular expressions to policy. ASG versions starting with 6.6.5.1 only have vulnerable versions of the PCRE and GLib2 libraries, but they are not vulnerable to known vectors of attack.

The vulnerabilities are only exploitable in Director when a malicious authenticated administrator passes crafted regular expressions as arguments to CLI commands.

The vulnerabilities are only exploitable in ProxySG when a malicious authenticated administrator with write access adds crafted regular expressions to policy.

Some Blue Coat products do not accept regular expression patterns from untrusted sources and do not use the pcregrep utility. The products listed below include vulnerable versions of the PCRE or GLib2 libraries, but are not known to be vulnerable to the CVEs below. However, fixes for these CVEs will be included in the patches that are provided.

  • ASG: CVE-2015-8380, CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394, CVE-2016-3191
  • CAS: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
  • ISG: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394, CVE-2016-3191
  • MTD: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
  • MAA: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, and CVE-2015-8394
  • MC: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
  • ICSP: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, and CVE-2015-8394
  • NSP: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, and CVE-2015-8394
  • PS: CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394
  • PC: CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394
  • Reporter 10.x: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
  • SSLV 3.x: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8390, CVE-2015-8393 and CVE-2015-8394
  • SSLV 4.0: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, CVE-2016-3191
  • XOS 9.7: CVE-2015-8380, CVE-2015-8381, CVE-2015-8383, CVE-2015-8384, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8392, CVE-2015-8393, CVE-2015-8394, CVE-2015-8395, and CVE-2016-1283

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
Unified Agent
Web Isolation
WSS Agent

Information about the following products is not available. NetDialog NetX is a replacement product for IntelligenceCenter.
IntelligenceCenter
IntelligenceCenter Data Collector

Blue Coat no longer provides vulnerability information for the following products:

DLP

Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2015-8380

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 77695 / NVD: CVE-2015-8380 Impact| Denial of service, unspecified other impact Description | A flaw in regular expression execution allows a remote attacker to cause a heap-based buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

CVE-2015-8381

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 76187 / NVD: CVE-2015-8381 Impact| Denial of service, unspecified other impact Description | A flaw in group reference handling allows a remote attacker to cause a heap-based buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

CVE-2015-8382

Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) References| SecurityFocus: BID 76157 / NVD: CVE-2015-8382 Impact| Information disclosure, denial of service Description | A flaw in regular expression execution allows a remote attacker to obtain sensitive information from the target’s memory or cause denial of service through application crashes.

CVE-2015-8383

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 79810 / NVD: CVE-2015-8383 Impact| Denial of service, unspecified other impact Description | A flaw in repeated conditional group handling allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

CVE-2015-8384

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 85555 / NVD: CVE-2015-8384 Impact| Denial of service, unspecified other impact Description | A flaw in recursive back reference handling allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

CVE-2015-8385

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 85572 / NVD: CVE-2015-8385 Impact| Denial of service, unspecified other impact Description | A flaw in forward reference handling allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

CVE-2015-8386

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 82990 / NVD: CVE-2015-8386 Impact| Denial of service, unspecified other impact Description | A flaw in lookbehind assertion and mutually recursive subpattern handling allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

CVE-2015-8387

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 82990 / NVD: CVE-2015-8387 Impact| Denial of service, unspecified other impact. Description | A flaw in subroutine call handling allows a remote attacker to cause an integer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

CVE-2015-8388

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 85576 / NVD: CVE-2015-8388 Impact| Denial of service, unspecified other impact Description | A flaw in unmatched closing parenthesis handling allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

CVE-2015-8389

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 82990 / NVD: CVE-2015-8389 Impact| Denial of service, unspecified other impact Description | A flaw in pattern handling allows a remote attacker to cause infinite recursion via a crafted regular expression, resulting in denial of service or unspecified other impact.

CVE-2015-8390

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 82990 / NVD: CVE-2015-8390 Impact| Denial of service, unspecified other impact Description | A flaw in character class handling allows a remote attacker to cause uninitialized memory reads via a crafted regular expression, resulting in denial of service or unspecified other impact.

CVE-2015-8391

Severity / CVSSv2 | High / 9.0 (AV:N/AC:L/Au:N/C:P/I:P/A:C) References| SecurityFocus: BID 82990 / NVD: CVE-2015-8391 Impact| Denial of service, unspecified other impact Description | A flaw in nesting handling allows a remote attacker to cause excessive CPU consumption via a crafted regular expression, resulting in denial of service or unspecified other impact.

CVE-2015-8392

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 85573 / NVD: CVE-2015-8392 Impact| Denial of service, unspecified other impact Description | A flaw in substring handling allows a remote attacker to cause a buffer overflow and unintended recursion via a crafted regular expression, resulting in denial of service or unspecified other impact.

CVE-2015-8393

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 82990 / NVD: CVE-2015-8393 Impact| Information disclosure Description | A flaw in the pcregrep utility allows a remote attacker to obtain sensitive information via a crafted binary file.

CVE-2015-8394

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 82990 / NVD: CVE-2015-8394 Impact| Denial of service, unspecified other impact Description | A flaw in condition handling allows a remote attacker to cause an integer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

CVE-2015-8395

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 85545 / NVD: CVE-2015-8395 Impact| Denial of service, unspecified other impact Description | A flaw in reference handling allows a remote attacker to cause denial of service or unspecified other impact via a crafted regular expression.

CVE-2016-1283

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 79825 / NVD: CVE-2016-1283 Impact| Denial of service, unspecified other impact Description | A flaw in named subgroup handling allows a remote attacker to cause heap-based buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

CVE-2016-3191

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 84810 / NVD: CVE-2016-3191 Impact| Code execution, denial of service Description | A flaw in substring and nested parenthesis handling allows a remote attacker to cause stack-based buffer overflow via a crafted regular expression, resulting in arbitrary code execution or denial of service.

MITIGATION

These CVEs can be exploited in ASG and ProxySG 6.6 only by authenticated administrator users with write access. Restricting the administrator users that have write access reduces the threat of exploiting the vulnerabilities.

These CVEs can be exploited in ASG, Director, and ProxySG only through their management interfaces. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

REVISION

2021-08-27 WSS Agent is not vulnerable.
2021-06-07 A fix for SSLV 5.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-06-01 A fix for MC 3.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-05-03 ISG 2.1, 2.2, and 2.3 have a vulnerable version of the PCRE library, but is not vulnerable to known vectors of attack.
2021-02-17 A fix for MC 2.4 and CA 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-12-09 A fix for ASG 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-17 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. A fix for Reporter 10.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 contains vulnerable versions of the PCRE or GLib2 libraries, but is not vulnerable to known vectors of attack.
2020-08-19 A fix for MC 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-04-27 Provided corrected vulnerability information for Content Analysis, Mail Threat Defense, Management Center, PacketShaper S-Series, PolicyCenter S-Series, Reporter, Security Analytics, and SSL Visibility.
2020-04-26 Provided corrected vulnerability information for Advanced Secure Gateway. Information about IntelligenceCenter and IntelligenceCenter Data Collector is not available. NetDialog NetX is a replacement product for IntelligenceCenter.
2020-04-04 A fix for PacketShaper S-Series and PolicyCenter S-Series will not be provided. Allot Secure Service Gateway (SGG) is a replacement product for PacketShaper S-Series. Please switch to a version of SSG with the vulnerability fixes. A fix for PolicyCenter S-Series will not be provided. Allot NetXplorer is a replacement product PolicyCenter S-Series. Please switch to a version of NetXplorer with the vulnerability fixes.
2019-10-10 A fix will not be provided for PacketShaper 9.2. Please upgrade to a version of PacketShaper S-Series with the vulnerability fixes. A fix will not be provided for PolicyCenter 9.2. Please upgrade to a version of PolicyCenter S-Series with the vulnerability fixes.
2019-10-03 Web Isolation is not vulnerable.
2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-29 Reporter 10.4 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2019-08-12 MC 2.2 and MC 2.3 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attack. A fix for MC 2.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for Reporter 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for SSLV 4.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-02-04 A fix for CA 1.3 and 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-21 SA 7.3 starting with 7.3.2 and 8.0 are vulnerable.
2019-01-14 SSLV 4.4 and 5.0 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attack.
2019-01-14 Reporter 10.3 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-09-24 A fix for SSLV 3.8.4FC will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-07-26 MC 2.0 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2018-07-24 A fix for CacheFlow 3.4 is available in 3.4.2.9.
2018-06-26 A fix for CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, CVE-2016-3191 in SSLV 4.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-26 A fix for SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CA 2.3, PacketShaper S-Series 11.10, and Reporter 10.2 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attack.
2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 4.2 has vulnerable versions of PCRE, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2017-11-08 CAS 2.2 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2017-11-07 MC 1.11 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-06 ASG 6.6 prior to 6.6.5.1 is vulnerable to all CVEs. ASG 6.6 starting with 6.6.5.1 and 6.7 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attacks.
2017-10-26 It was previously reported that CacheFlow 3.4 is vulnerable to CVE-2015-8386 and CVE-2015-8390. Further investigation has shown that CacheFlow 3.4 is not vulnerable to these CVEs.
2017-08-03 SSLV 4.1 has vulnerable version of PCRE, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2017-07-25 PS S-Series 11.9 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2017-07-21 MC 1.10 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PS S-Series 11.8 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2017-05-29 A fix for Security Analytics 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-05-18 CAS 2.1 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2017-03-30 MC 1.9 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2017-03-08 MC 1.6, MC 1.7, MC 1.8, and SSLV 4.0 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attack. ProxySG 6.7 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2017-01-25 A fix for Security Analytics 7.2 is available in 7.2.2.
2016-12-03 PS S-Series 11.7 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2016-12-03 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-11-03 A fix for MAA is available in 4.2.10. A fix for ProxySG 6.6 is avaialble in 6.6.5.1.
2016-09-09 A fix for ProxySG 6.5 is available in 6.5.9.11.
2016-08-12 Security Analytics 7.2 is vulnerable to CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394.
2016-08-10 A fix for SSLV 3.9 is available in 3.9.4.1.
2016-07-12 Reporter 9.4 and 9.5 are not vulnerable.
2016-07-11 MAA 4.2 has a vulnerable version of PCRE, but is not vulnerable to known vectors of attack.
2016-07-07 initial public release

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:P/I:P/A:C