9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Symantec Network Protection products using affected versions of Apache httpd are susceptible to multiple security vulnerabilities. A remote attacker, with access to the management interface, can cause denial of service through application crashes or bypass required authentication.
The following products are vulnerable:
CVE |Affected Version(s)|Remediation
CVE-2017-3169
CVE-2017-7679 | 2.3 and later | Not vulnerable, fixed in 2.3.1.1
2.2 | Upgrade to later release with fixes.
1.3, 2.1 | Not vulnerable
CVE |Affected Version(s)|Remediation
CVE-2017-3167, CVE-2017-3169
CVE-2017-7679 | 6.1 | Upgrade to a version of MC with the fixes.
CVE |Affected Version(s)|Remediation
CVE-2017-3167, CVE-2017-3169
CVE-2017-7668, CVE-2017-7679 | 4.2 | Upgrade to 4.2.12.
CVE |Affected Version(s)|Remediation
CVE-2017-3167, CVE-2017-3169
CVE-2017-7679 | 8.0 and later | Not vulnerable, fixed in 8.0.1.
7.3 | Upgrade to 7.3.2.
7.2 | Upgrade to 7.2.5.
7.1 | Upgrade to later release with fixes.
ADDITIONAL PRODUCT INFORMATION
The following products are not vulnerable:
**Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter SSL Visibility
Unified Agent
Web Isolation
WSS Agent
****X-Series XOS
Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 99135 / NVD: CVE-2017-3167 Impact| Authentication bypass Description | A flaw in third-party Apache httpd modules allows a remote attacker to bypass required authentication.
Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 99134 / NVD: CVE-2017-3169 Impact| Denial of service Description | A flaw in third-party Apache httpd modules allows a remote attacker to send HTTP requests to an HTTPS port and cause denial of service through application crashes.
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 99132 / NVD: CVE-2017-7659 Impact| Denial of service Description | A flaw in HTTP/2 request parsing allows a remote attacker to send crafted HTTP/2 requests and cause denial of service through application crashes.
Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 99137 / NVD: CVE-2017-7668 Impact| Denial of service Description | A buffer overread flaw in HTTP request parsing allows a remote attacker to send crafted HTTP requests and cause denial of service through application crashes or have unspecified other impact.
Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 99170 / NVD: CVE-2017-7679 Impact| Denial of service Description | A buffer overread flaw in HTTP response generation allows a remote attacker to send crafted HTTP requests and cause denial of service through application crashes.
MITIGATION
These vulnerabilities can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.
By default, Director and MA do not use HTTP Basic Access Authentication in Apache httpd. Customers who leave this behavior unchanged prevent attacks against these products using CVE-2017-3167.
Apache httpd 2.2 vulnerabilities - <https://httpd.apache.org/security/vulnerabilities_22.html>
Apache httpd 2.4 vulnerabilities - <https://httpd.apache.org/security/vulnerabilities_24.html>
2021-05-19 A fix for Security Analytics 7.2 is available in 7.2.5. WSS Agent is not vulnerable. Moving Advisory Status to Closed.
2020-11-18 A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2019-10-03 Web Isolation is not vulnerable.
2019-09-05 A fix for Security Analytics 7.3 is available in 7.3.2. Fixes will not be provided for Security Analytics 7.1 and CA 2.2. Please upgrade to a later release with the vulnerabilities fixes. IntelligenceCenter and IntelligenceCenter Data Collector are not vulnerable.
2019-01-21 A fix for Security Analytics 7.3 is available in 7.3.4. Security Analytics 8.0 is not vulnerable because a fix is available in 8.0.1.
2018-07-23 A fix for MA is available in 4.2.12.
2018-04-22 Previously it was reported that Content Analysis is not vulnerable. Further investigation indicates that CA 2.2 is vulnerable to CVE-2017-3169 and CVE-2017-7679. CA 2.3 is not vulnerable because a fix is available in 2.3.1.1.
2017-08-30 Added remaining CVSS v2 scores.
2017-07-20 initial public release
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P