SA129 : Multiple libxml2 Vulnerabilities

SUMMARY

Blue Coat products that include a vulnerable version of the libxml2 library are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to execute arbitrary code and cause denial of service through memory corruption.

AFFECTED PRODUCTS

The following products are vulnerable:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2016-4483 | 6.7, 7.2, 7.3 | Not available at this time
6.6, 7.1 | Upgrade to later release with fixes.
All CVEs except CVE-2016-4483 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1.
6.6 | Upgrade to 6.6.5.2.

AuthConnector

CVE |Affected Version(s)|Remediation
All CVEs | 2.5 | Fixed in 2.5.5500

Content Analysis System (CAS)

CVE |Affected Version(s)|Remediation
CVE-2016-4483 | 2.3 and later | Not vulnerable, fixed in 2.3.1.1
2.1, 2.2 | Upgrade to later release with fixes.
1.3 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
All CVEs except CVE-2016-4483 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1.
1.3 (not vulnerable to known vectors of attack) | Upgrade to 1.3.7.3.

Director

CVE |Affected Version(s)|Remediation
All CVEs | 6.1 | Upgrade to a version of MC with the fixes.

Malware Analysis Appliance (MAA)

CVE |Affected Version(s)|Remediation
CVE-2016-4448 | 4.2 | Upgrade to 4.2.12.
CVE-2016-4449 | 4.2 | Upgrade to 4.2.11.
All CVEs except CVE-2016-4448 and CVE-2016-4449 | 4.2 (not vulnerable to known vectors of attack) | Upgrade to 4.2.11.

Norman Shark Industrial Control System Protection (ICSP)

CVE |Affected Version(s)|Remediation
All CVEs | 5.4 | Not vulnerable, fixed in 5.4.1
5.3 | Upgrade to later release with fixes.

Norman Shark Network Protection (NNP)

CVE |Affected Version(s)|Remediation
All CVEs | 5.3 | A fix will not be provided.

Norman Shark SCADA Protection (NSP)

CVE |Affected Version(s)|Remediation
All CVEs | 5.3 | A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes.

ProxySG

CVE |Affected Version(s)|Remediation
All CVEs | 6.7 and later | Not vulnerable, fixed in 6.7.1.1
6.6 | Upgrade to 6.6.5.2.
6.5 | Upgrade to 6.5.9.12.

Security Analytics (SA)

CVE |Affected Version(s)|Remediation
CVE-2016-4483 | 8.1, 8.2 | Not available at this time
7.3 starting with 7.3.2, 8.0 | Upgrade to later release with fixes.
7.3.1 | Not vulnerable, fixed
7.2 | Upgrade to 7.3.2.
6.6, 7.0, 7.1 | Upgrade to later release with fixes.
All CVEs except CVE-2016-4483 | 7.3 and later | Not vulnerable, fixed in 7.3.1
7.2 | Upgrade to 7.2.2.
6.6, 7.0, 7.1 | Upgrade to later release with fixes.

X-Series XOS

CVE |Affected Version(s)|Remediation
All CVEs | 9.7, 10.0, 11.0 | A fix will not be provided.

The following products contain vulnerable versions of the libxml2 library, but are not vulnerable to known vectors of attack:

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
All CVEs | 1.1 | Upgrade to a version of CAS and SMG with the fixes.

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2016-4483
| 2.0 and later | Not vulnerable, fixed in 2.0.1.1
1.5 - 1.11 | Upgrade to later release with fixes.
All CVEs except CVE-2016-4483 | 1.8 and later | Not vulnerable, fixed in 1.8.1.1
1.7 | Upgrade to 1.7.2.1.
1.6 | Upgrade to later release with fixes.
1.5 | Upgrade to later release with fixes.

PacketShaper (PS) S-Series

CVE |Affected Version(s)|Remediation
CVE-2016-4483 | 11.2 and later | Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper S-Series. Switch to a version of SSG with the vulnerability fixes.
All CVEs except CVE-2016-4483 | 11.7 and later | Upgrade to 11.7.1.1.
11.6 | Upgrade to 11.6.1.3.
11.2 - 11.5 | Upgrade to later release with fixes.

PolicyCenter (PC) S-Series

CVE |Affected Version(s)|Remediation
CVE-2016-4483 | 1.1 | Allot NetXplorer is a replacement product for PolicyShaper S-Series. Switch to a version of NetXplorer with the vulnerability fixes.
All CVEs except CVE-2016-4483 | 1.1 | Upgrade to 1.1.3.1.

Reporter

CVE |Affected Version(s)|Remediation
CVE-2016-4483 | 10.5 and later | Not vulnerable, fixed in 10.5.1.1
10.1, 10.2, 10.3, 10.4 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes.
All CVEs except CVE-2016-4483 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1.
10.1 (not vulnerable to known vectors of attack) | Upgrade to 10.1.5.1.
All CVEs | 9.5 | Not vulnerable
9.4 | Not vulnerable

SSL Visibility (SSLV)

CVE |Affected Version(s)|Remediation
CVE-2016-4483 | 4.5 | Not available at this time
4.3, 4.4 | Not vulnerable, fixed in 4.3.1.1.
4.0, 4.1, 4.2, 5.0 | Upgrade to later release with fixes.
All CVEs except CVE-2016-4483 | 4.0 | Not vulnerable, fixed in 4.0.2.1.
CVE-2016-4448 | 3.12 | Not vulnerable, fixed in 3.12.1.1.
3.11 | Upgrade to 3.11.4.1.
3.10 | Upgrade to 3.10.4.1.
3.8.4FC, 3.9 | Upgrade to later release with fixes.
All CVEs except CVE-2016-4448 | 3.10 and later 3.x | Not vulnerable, fixed in 3.10.1.1.
3.9 | Upgrade to 3.9.4.1.
3.8.4FC | Upgrade to later release with fixes.

ADDITIONAL PRODUCT INFORMATION

Some Blue Coat products do not accept XML data from untrusted sources. The products listed below include vulnerable versions of the libxml2 library, but are not known to be vulnerable to the CVEs below. However, fixes for these CVEs will be included in the patches that are provided.

• ASG: all CVEs
• CAS: all CVEs
• MTD: all CVEs
• MAA: all CVEs except CVE-2016-4448 and CVE-2016-4449
• MC: all CVEs
• PacketShaper S-Series: all CVEs
• PolicyCenter S-Series: all CVEs
• Reporter 10.x: all CVEs
• SSLV: all CVEs except CVE-2016-4448 and CVE-2016-4449

The following products are not vulnerable:
Android Mobile Agent
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PacketShaper
PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
Unified Agent
Web Isolation
WSS Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP

Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2016-1762

Severity / CVSSv2 | High / 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) References| SecurityFocus: BID 85059 / NVD: CVE-2016-1762 Impact| Denial of service, code execution Description | A flaw in the XML parser allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

CVE-2016-1833

Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 90691 / NVD: CVE-2016-1833 Impact| Denial of service, code execution Description | A flaw in the XML parser allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

CVE-2016-1834

Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 90691 / NVD: CVE-2016-1834 Impact| Denial of service, code execution Description | A flaw in string handling allows a remote attacker to cause a heap-based buffer overflow via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

CVE-2016-1835

Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 90696 / NVD: CVE-2016-1835 Impact| Denial of service, code execution Description | A flaw in the XML parser allows a remote attacker to cause a use-after-free via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

CVE-2016-1836

Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 90691 / NVD: CVE-2016-1836 Impact| Denial of service, code execution Description | A flaw in the XML parser allows a remote attacker to cause a use-after-free via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

CVE-2016-1837

Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 90691 / NVD: CVE-2016-1837 Impact| Denial of service, code execution Description | A flaw in the HTML parser allows a remote attacker to cause a use-after-free via crafted HTML data, resulting in arbitrary code execution or denial of service through memory corruption.

CVE-2016-1838

Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 90691 / NVD: CVE-2016-1838 Impact| Denial of service, code execution Description | A flaw in the XML parser allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

CVE-2016-1839

Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 90691 / NVD: CVE-2016-1839 Impact| Denial of service, code execution Description | A flaw in the XML/HTML parser allows a remote attacker to cause a heap-based buffer overread via crafted XML/HTML data, resulting in arbitrary code execution or denial of service through memory corruption.

CVE-2016-1840

Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 90691 / NVD: CVE-2016-1840 Impact| Denial of service, code execution Description | A flaw allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

CVE-2016-3627

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 84992 / NVD: CVE-2016-3627 Impact| Denial of service Description | A flaw in the XML parser allows a remote attacker to cause infinite recursion or stack depletion via crafted XML data, resulting in application crashes and denial of service.

CVE-2016-3705

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 89854 / NVD: CVE-2016-3705 Impact| Denial of service Description | A flaw in the XML parser allows a remote attacker to cause stack depletion via crafted XML data, resulting in application crashes and denial of service.

CVE-2016-4447

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 90864 / NVD: CVE-2016-4447 Impact| Denial of service Description | A flaw in the XML parser allows a remote attacker to cause a heap-based buffer underread via crafted XML data, resulting in application crashes and denial of service.

CVE-2016-4448

Severity / CVSSv2 | High / 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) References| SecurityFocus: BID 90856 / NVD: CVE-2016-4448 Impact| Unspecified Description | A flaw in format string handling allows an attacker to have unspecified impact via unspecified attack vectors.

CVE-2016-4449

Severity / CVSSv2 | Medium / 5.8 (AV:N/AC:M/Au:N/C:P/I:N/A:P) References| SecurityFocus: BID 90865 / NVD: CVE-2016-4449 Impact| Informationd disclosure, denial of service Description | A flaw in the XML parser allows a remote attacker to read arbitrary files or cause denial of service through resource consumption.

CVE-2016-4483

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 76510 / NVD: CVE-2016-4483 Impact| Denial of service, code execution Description | A flaw in the XML parser in recovery mode allows a remote attacker to cause a buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

MITIGATION

Blue Coat's ProxySG appliance running SGOS 6.6.4 or a later release can protect customer networks against attacks using all CVEs, except CVE-2016-1834, CVE-2016-1840, CVE-2016-3627, and CVE-2016-4448. ProxySG deployed as a reverse proxy can protect network hosts behind it by blocking the malformed XML payload used in these attacks. Customers can use the following CPL syntax introduced in SGOS 6.6.4:

<proxy>
http.request.detection.xml.invalid(block)

REVISION

2021-08-27 WSS Agent is not vulnerable.
2021-06-07 A fix for SSLV 5.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-12-10 A fix for ASG 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-17 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-04-27 Security Analytics 8.1 is vulnerable to CVE-2016-4483. SSL Visibility (SSLV) 4.5 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack. Reporter 10.5 is not vulnerable because a fix is available in 10.5.1.1. Fixes will not be provided for Industrical Control System Protection (ICSP) 5.3, Reporter 10.3, Reporter 10.4, and SSL Visibility (SSLV) 3.9. Please upgrade to later versions with the vulnerability fixes.
2020-04-03 A fix will not be provided for CVE-2016-4483 in PacketShaper S-Series. Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper S-Series. Please switch to a version of SSG with the vulnerability fixes. A fix will not be provided for CVE-2016-4483 in PolicyCenter S-Series. Allow NetXplorer is a replacement product for PolicyCenter S-Series. Please switch to a version of NetXplorer with the vulnerability fixes.
2019-10-03 Web Isolation is not vulnerable.
2019-08-30 Reporter 10.4 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for Reporter 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-02-04 A fix for CA 1.3 and 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-29 ICSP 5.4 is not vulnerable because a fix is available in 5.4.1.
2019-01-21 SA 7.3 starting with 7.3.2 and 8.0 are vulnerable to CVE-2016-4483.
2019-01-18 SSLV 4.4 is not vulnerable. SSLV 5.0 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.
2019-01-14 A fix for CVE-2016-4483 in MC 1.11 will not be provided. Please upgrade to a later version with the vulnerability fixes. Reporter 10.3 has a vulnerable version in libxml2, but is not vulnerable to known vectors of attack
2019-01-11 A fix for CVE-2016-4483 in CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes.
2018-07-27 A fix for CVE-2016-4448 in MA 4.2 is available in 4.2.12.
2018-07-24 MC 2.0 is not vulnerable because a fix for CVE-2016-4483 is available in 2.0.1.1.
2018-07-02 A fix for CVE 2016-4483 in SSLV 4.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-06-30 A fix for SSLV 4.3 is available in 4.3.1.1.
2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided.
2018-06-26 A fix for AuthConnector is available in 2.5.5500.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CAS 2.3 is not vulnerable because a fix is available in 2.3.1.1. PacketShaper S-Series 11.10 and Reporter 10.2 have a vulnerable version of libxml2, but are not vulnerable to known vectors of attack.
2018-04-06 A fix for all CVEs except CVE-2016-4448 in SSLV 3.9 is available in 3.9.4.1. A fix for all CVEs except CVE-2016-4448 is available in Packetshaper S-Series 11.7 and 11.8.
2018-02-22 A fix for CVE-2016-4448 in SSLV 3.10 is available in 3.10.4.1.
2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-16 A fix for SSLV 3.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1.
2017-11-15 SSLV 4.2 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2017-11-08 CAS 2.2 is vulnerable to CVE-2016-4483.
2017-11-07 MC 1.11 has vulnerable versions of a vulnerable version of libxml2, but is not vulnerable to known vectors of attack. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-06 ASG 6.6 starting with 6.6.5.2 has a vulnerable version of libxml2 for all CVEs, but is not vulnerable to known vectors of attack. ASG 6.7 is vulnerable to CVE-2016-4483.
2017-08-03 SSLV 4.1 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2017-07-25 PS S-Series 11.9 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2017-07-21 MC 1.10 has vulnerable versions of a vulnerable version of libxml2, but is not vulnerable to known vectors of attack. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-07-10 A fix for CVE-2016-4448 in SSLV 3.11 is available in 3.11.4.1.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PS S-Series 11.7 and 11.8 have a vulnerable version of libxml2. PS S-Series is not vulnerable to known vectors of attack.
2017-05-18 CAS 2.1 is vulnerable to CVE-2016-4483.
2017-03-30 MC 1.9 has a vulnerable version of libxml2 for CVE-2016-4483, but is not vulnerable to known vectors of attack.
2017-03-08 A fix for all CVEs except CVE-2016-4483 in PolicyCenter S-Series 1.1 is available in 1.1.3.1.
2017-03-08 MC 1.8 and SSLV 4.0 have a vulnerable version of libxml2, but are not vulnerable to known vectors of attack. ProxySG 6.7 is not vulnerable. Previously, it was reported that a fix for all CVEs in PacketShaper S-Series 11.6 is available in 11.6.1.3. Further investigation has shows that all versions of PS S-Series still have a vulnerable version of libxml2 for CVE-2016-4483. PS S-Series is not vulnerable to known vectors of attack.
2017-01-25 A fix for SA 7.2 is available in 7.2.2.
2017-01-24 A fix for all CVEs except CVE-2016-4483 in CAS 1.3 is available in 1.3.7.3.
2017-01-10 A fix for all CVEs except CVE-2015-4483 in Reporter 10.1 is available in 10.1.5.1.
2016-12-19 A fix for all CVEs except CVE-2016-4448 is available in MAA 4.2.11.
2016-12-02 SSLV 3.11 is vulnerable to CVE-2016-4448. A fix is not available at this time.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-14 MC 1.6 and 1.7 have a vulnerable version of libxml2. A fix for all CVEs except CVE-2015-4483 is available in 1.7.2.1.
2016-11-11 SSLV 3.10 is vulnerable to CVE-2016-4448. A fix is not available at this time.
2016-10-24 Clarified that Security Analytics 7.2 is vulnerable. A fix is available through a patch RPM from Blue Coat Support.
2016-10-24 A fix for ASG is available in 6.6.5.2.
2016-10-24 A fix for ProxySG 6.6 is available in 6.6.5.2.
2016-10-18 A fix for ProxySG 6.5 is available in 6.5.9.12.
2016-09-14 Fixes for Security Analytics 6.6, 7.1, and 7.2 are available through patch RPMs from Blue Coat Support.
2016-09-14 A fix for PacketShaper S-Series 11.6 is available in 11.6.1.3.
2016-09-14 Clarified wording in Workarounds sections.
2016-09-01 initial public release