9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Symantec Network Protection products using affected versions of NSS are susceptible to a security vulnerability. A remote attacker can send crafted Base64-encoded data and execute arbitrary code or cause denial of service through an application crash.
The following products are vulnerable:
CVE |Affected Version(s)|Remediation
All CVEs | 6.1 | Upgrade to a version of MC with the fixes.
CVE |Affected Version(s)|Remediation
All CVEs | 11.9 and later | Not vulnerable, fixed in 11.9.1.1
11.8 | Upgrade to later release with fixes.
11.7 | Upgrade to later release with fixes.
11.6 | Upgrade to 11.6.4.2.
11.5 | Upgrade to later release with fixes.
CVE |Affected Version(s)|Remediation
All CVEs | 1.1 | Upgrade to 1.1.4.2.
CVE |Affected Version(s)|Remediation
All CVEs | 8.0 and later | Not vulnerable, fixed in 8.0.1.
7.3 | Upgrade to 7.3.2.
7.2, 7.1 | Upgrade to later release with fixes.
CVE |Affected Version(s)|Remediation
All CVEs | 4.2 and later | Not vulnerable, fixed in 4.2.1.1
4.1 | Upgrade to later release with fixes.
4.0 | Upgrade to later release with fixes.
3.x | Not vulnerable
CVE |Affected Version(s)|Remediation
All CVEs | 9.7, 10.0, 11.0 | A fix will not be provided.
The following products have a vulnerable version of NSS, but are not vulnerable to known vectors of attack:
CVE |Affected Version(s)|Remediation
All CVEs | 7.1 and later | Not vulnerable, fixed in 7.1.1.1
6.7 | Upgrade to 6.7.3.1.
6.6 | Upgrade to 6.6.5.10.
CVE |Affected Version(s)|Remediation
All CVEs | 2.2 and later | Not vulnerable, fixed in 2.2.1.1
2.1 | Upgrade to later release with fixes.
1.3 | Fixed in 1.3.7.8.
CVE |Affected Version(s)|Remediation
All CVEs | 1.1 | Upgrade to a version of CAS and SMG with the fixes.
CVE |Affected Version(s)|Remediation
All CVEs | 1.11 and later | Not vulnerable, fixed in 1.11.1.1
1.10 | Upgrade to later release with fixes.
1.9 | Upgrade to later release with fixes.
CVE |Affected Version(s)|Remediation
All CVEs | 10.2 and later | Not vulnerable, fixed in 10.2.1.1
10.1 | Upgrade to 10.1.5.5.
9.5 | Not vulnerable
9.4 | Not vulnerable.
PacketShaper S-Series and PolicyCenter S-Series are only vulnerable through LDAPS client connections.
The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Malware Analysis Norman Shark Industrial Control System Protection
PacketShaper PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP **ProxyClient
ProxySG
Unified Agent
Web Isolation
**
Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 98050 / NVD: CVE-2017-5461 Impact| Denial of service, code execution Description | An out-of-bounds write flaw in the Base64 encoder/decoder allows a remote attacker to send crafted Base64 data, such as an X.509 certificate, and cause denial of service through an application crash. The attacker could also execute arbitrary code with the permission of the application using NSS.
By default, Director, Security Analytics, and XOS do not use NSS to parse Base64 data from external sources. Customers who leave this behavior unchanged prevent attacks against these products using CVE-2017-5461.
CVE-2017-5461 only affects LDAPS client connections in PacketShaper S-Series and PolicyCenter S-Series. Deploying these products in a secure, trusted network reduces the threat of exploiting this vulnerability.
MFSA 2017-10 - <https://www.mozilla.org/en-US/security/advisories/mfsa2017-10/>
2021-07-13 A fix for Security Analytics 7.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. Moving Advisory Status to Closed.
2020-11-18 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-04-17 Advanced Secure Gateway (ASG) 7.1 and later versions are not vulnerable because a fix is available in 7.1.1.1.
2019-10-02 Web Isolation is not vulnerable.
2019-01-21 A fix for Security Analytics 7.3 is available in 7.3.2. Security Analytics 8.0 is not vulnerable because a fix is available in 8.0.1.
2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-10-25 A fix for CA 1.3 is available in 1.3.7.8.
2018-08-07 A fix for CA 1.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-06-26 A fix for SSLV 4.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-26 A fix for SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CA 2.3 is not vulnerable. PacketShaper S-Series 11.10 is not vulnerable. Reporter 10.2 is not vulnerable because a fix is available in 10.2.1.1.
2018-04-12 A fix for Reporter 10.1 is available in 10.1.5.5.
2018-01-31 A fix for ASG 6.7 is avaialble in 6.7.3.1.
2017-12-13 A fix for PS S-Series 11.6 is available in 11.6.4.2.
2017-12-12 A fix for PC S-Series 1.1 is available in 1.1.4.2.
2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 4.2 is not vulnerable because a fix is available in 4.2.1.1.
2017-11-09 MC 1.11 is not vulnerable because a fix is available in 1.11.1.1. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-08 CAS 2.2 is not vulnerable because a fix is available in 2.2.1.1.
2017-11-06 ASG 6.7 has a vulnerable version of NSS, but is not vulnerable to known vectors of attack.
2017-08-03 SSLV 4.1 is vulnerable.
2017-06-22 Security Analytics 7.3 is vulnerable.2017-07-23 MC 1.10 has a vulnerable version of NSS, but is not vulnerable to known vectors of attack. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-06-26 A fix for ASG 6.6 is available in 6.6.5.10.
2017-06-22 Security Analytics 7.3 is vulnerable.
2017-06-05 PS S-Series 11.8 has a vulnerable version of NSS.
2017-05-25 initial public release
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P