SA87 : OpenSSL Security Advisory 15-Oct-2014

IntelligenceCenter

5 more products

1310

04 May 2021

14 January 2015

CLOSED

HIGH

CVSS v2: 7.1

SUMMARY

Blue Coat products using affected versions of OpenSSL 1.0.1, 1.0.0, and 0.9.8 are vulnerable to one or more vulnerabilities.  A remote attacker may exploit these vulnerabilities to allow remote attackers to cause a denial of service due to memory consumption, or to downgrade to an SSL v3 handshake.

AFFECTED PRODUCTS

The following products are vulnerable to one or more of these vulnerabilities:

BCAAA
BCAAA 5.5 is vulnerable to CVE-2014-3567 and CVE-2014-3568, and also may be vulnerable to CVE-2014-3513, when using CoreID and Novell SSO.  BCAAA 6.1 is vulnerable to CVE-2014-3567 and CVE-2014-3568, and also may be vulnerable to CVE-2014-3513, when using Novell SSO.

CacheFlow
CacheFlow 2.x and 3.x prior to 3.4.2.1 are vulnerable to CVE-2014-3567.

Content Analysis System
CAS 1.1.x prior to 1.1.5.6, and 1.2.x prior to 1.2.3.1 are vulnerable.  CAS 1.3 and later releases are not vulnerable.

Director
Director 6.x prior to 6.1.16.1 is vulnerable to to CVE-2014-3567.

IntelligenceCenter
IC 3.x is vulnerable to all CVEs.

IntelligenceCenter Data Collector
DC 3.x is vulnerable to all CVEs.

Malware Analysis Appliance
MAA 4.1.x is vulnerable to CVE-2014-3567.

Malware Analyzer G2
All versions of MAG2 are vulnerable.

Management Center
MC 1.x prior to 1.4.1.1 are vulnerable to CVE-2014-3513 and CVE-2014-3567.  MC 1.5 and later releases are not vulnerable.

Norman Shark Industrial Control System Protection
ICSP 5.x prior to 5.2.3 are vulnerable to CVE-2014-3567.

Norman Shark Network Protection
NNP 5.x prior to 5.2.3 are vulnerable to CVE-2014-3567.

Norman Shark SCADA Protection
NSP 5.x prior to 5.2.3 are vulnerable to CVE-2014-3567.

PacketShaper
All versions of PacketShaper prior to 9.2.10 are vulnerable to CVE-2014-3567.

PacketShaper S-Series
All versions of PS S-Series prior to 11.3.1.2 is vulnerable to CVE-2014-3567.  PS S-Series 11.4 and later releases are not vulnerable.

PolicyCenter
All versions of PolicyCenter prior to 9.2.10 are vulnerable to CVE-2014-3567.

ProxyAV
ProxyAV 3.4 prior to 3.4.3.1 and ProxyAV 3.5 prior to 3.5.3.1 are vulnerable to CVE-2014-3513, CVE-2014-3567, and CVE-2014-3568.

ProxySG
All versions of SGOS 5.5 and SGOS 6.2 prior to 6.2.16.3 are vulnerable to CVE-2014-3567.  All versions of SGOS 6.5 pror to 6.5.6.1 are vulnerable to CVE-2014-3513 and CVE-2014-3567.  SGOS 6.6 and 6.7 are not vulnerable.

Reporter
Reporter 9.4 is vulnerable to CVE-2014-3513 and CVE-2014-3567.  The Windows version of Reporter is not vulnerable to CVE-2014-3513.  Reporter 9.5 for Windows prior to 9.5.3 is vulnerable to all CVEs.  Reporter 9.5 for Linux and 10.1 are not vulnerable.

Security Analytics Platform
SA 6.6 prior to 6.6.10, 7.0, and 7.1 prior to 7.1.6 are vulnerable to CVE-2014-3567 and CVE-02140-3568.  SA 7.2 and later releases are not vulnerable.

SSL Visibility
SSLV 3.6, 3.7, and 3.8 prior to 3.8.3 are vulnerable to CVE-2014-3567.  SSLV 3.8.4FC and later versions are not vulnerable.

X-Series XOS
XOS 10.0 prior to 10.0.6 are vulnerable to CVE-2014-3513 and CVE-2014-3567.  XOS 11.0 is not vulnerable.

Patches

BCAAA
BCAAA 6.1 - a fix will not be provided as an updated Novell SDK is not available.
BCAAA 5.5 - a fix will not be provided as updated CoreID and an Novell SDKs are not available.

CacheFlow
CacheFlow 3.x - a fix is available in 3.4.2.1.
CacheFlow 2.x - a fix will not be provided. Please upgrade to a later version that has the vulnerability fix.

Content Analysis System
CAS 1.2 - a fix is available in 1.2.3.1.
CAS 1.1 - a fix is available in 1.1.5.6.

Director
Director 6.x - a fix is available in 6.1.16.1.

IntelligenceCenter
IC 3.x - a fix will not be provided.  NetDialog NetX is a replacement product for IntelligenceCenter.  Please switch to a version of NetX with the fixes.

IntelligenceCenter Data Collector
DC 3.x - a fix will not be provided.  NetDialog NetX is a replacement product for IntelligenceCenter.  Please switch to a version of NetX with the fixes.

Malware Analysis Appliance
MAA 4.x - a fix is available in 4.2.1.

Malware Analyzer G2
MAG2 4.1 and prior – a patch will not be provided. Please upgrade to the latest MAA 4.x release with the vulnerability fix.

Management Center
MC 1.x - a fix is available in 1.4.1.1.

Norman Shark Industrial Control System Protection
ICSP 5.2 - a fix is available in 5.2.3 and 5.3.1.
ICSP 5.1 and prior - a fix will not be provided. Please upgrade to a later version that has the vulnerability fix.

Norman Shark Network Protection
NNP 5.2 - a fix is available in 5.2.3 and 5.3.1.
NNP 5.1 and prior - a fix will not be provided. Please upgrade to a later version that has the vulnerability fix.

Norman Shark SCADA Protection
NSP 5.2 - a fix is available in 5.2.3 and 5.3.1.
NSP 5.1 and prior - a fix will not be provided. Please upgrade to a later version that has the vulnerability fix.

PacketShaper
PacketShaper 9.2 - a fix is available in 9.2.10.
PacketShaper 8.7 - a fix will not be provided.  Please upgrade to a later version that has the vulnerability fix.

PacketShaper S-Series
PS 11.x - a fix is available in 11.3.1.2.

PolicyCenter
PolicyCenter 9.2 - a fix is available in 9.2.10.
PolicyCenter 8.7 - a fix will not be provided.  Please upgrade to a later version that has the vulnerability fix.

ProxyAV
ProxyAV 3.5 - a fix is available in 3.5.3.1.
ProxyAV 3.4 - a fix is available in 3.4.3.1.

ProxySG
SGOS 6.5.x - a fix is available in 6.5.6.1 and 6.5.2.12.
SGOS 6.2.x - a fix is available in 6.2.16.3.
SGOS 6.4.x - a fix will not be provided.  Please upgrade to a later version that has the vulnerability fix.
SGOS 5.5.x - a fix will not be provided.  Please upgrade to a later version that has the vulnerability fix.

Reporter
Reporter 9.5 - a fix is available in 9.5.3.
Reporter 9.4 - a fix is not available at this time.
Reporter 9.3 and earlier - a fix will not be provided.  Please upgrade to a later version that has the vulnerability fix.

Security Analytics Platform
SA 7.1 - a fix is available in 7.1.6.
SA 7.0 - a patch RPM to update the version of OpenSSL is available through Blue Coat Support.
SA 6.6 - a fix is available in 6.6.10.

SSL Visibility
SSLV 3.8 - a fix is available in 3.8.3 and 3.8.2f.
SSLV 3.7 - a fix will not be provided.  Please upgrade to a later version that has the vulnerability fix.
SSLV 3.6 - a fix will not be provided.  Please upgrade to a later version that has the vulnerability fix.
SSLV 3.5 - a fix will not be provided.  Please upgrade to a later version that has the vulnerability fix.

X-Series XOS
XOS 10.0 - a fix is available in 10.0.6

ADDITIONAL PRODUCT INFORMATION

Blue Coat products act as both client and server. Blue Coat hosts services such as WebPulse and licensing services that Blue Coat products may connect with as a client.

Some Blue Coat products that can be installed on a client or on non-Blue Coat hardware use the version of OpenSSL that is already installed. Blue Coat urges our customers to update the versions of OpenSSL that are installed for Reporter on Linux, Unified Agent on Linux, and ProxyClient.

The following products are not vulnerable to any of these vulnerabilites:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
Mail Threat Defense
OPIC
PolicyCenter S-Series
ProxyAV ConLog and ConLogXP
ProxyClient
Unified Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2014-3513 - 7.1 (HIGH) (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CVE-2014-3567 - 7.1 (HIGH) (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CVE-2014-3568 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Three vulnerabilities were announced in OpenSSL Security Advisory October 14, 2014. 

  • CVE-2014-3513 is a flaw in the DTLS SRTP implementation that allows an attacker to cause a denial-of-service due to memory consumption.
  • CVE-2014-3567 is a flaw in the implementation of session tickets that allows an attacker to cause a denial-of-service due to memory consumption.
  • CVE-2014-3568 allows an attacker to force clients and servers to downgrade to SSL v3, even if the version of OpenSSL was built such that SSL v3 should not be allowed.

MITIGATION

The version of OpenSSL in the Linux and ISO versions of Reporter can be updated to a later version of OpenSSL that includes a fix for CVE-2014-3513 and CVE-2014-3567.  For assistance, please contact Blue Coat Technical Support.

REFERENCES

OpenSSL Security Advisory - https://www.openssl.org/news/secadv/20141015.txt

REVISION

2019-08-16 Fixes for IntelligenceCenter and IntelligenceCenter Data Collector will not be provided.  NetDialog NetX is a replacement product for IntelligenceCenter.  Please switch to a version of NetX with the fixes.  SA status moved to Closed.
2019-01-20 Security Analytics 8.0 is not vulnerable.
2019-01-17 IntelligenceCenter and IntelligenceCenter Data Collector 3.x are vulnerable to all CVEs.
2018-04-22 PacketShaper S-Series 11.10 is not vulnerable.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-29 A fix for XOS 10.0 is available in 10.0.6.
2017-05-16 CAS 2.1 is not vulnerable.
2017-03-06 ProxySG 6.7 is not vulnerable.  SSLV 4.0 is not vulnerable.
2017-02-15 MC 1.8 is not vulnerable.  PacketShaper S-Series 11.7 is not vulnerable.  Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-12-04 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-14 MC 1.6 and 1.7 are not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-09-15 Advanced Secure Gateway is not vulnerable.
2016-08-11 Security Analytics 7.2 is not vulnerable.
2016-07-17 SGOS 6.6 is not vulnerable.
2016-07-15 SSLV 3.8.4FC and 3.9 are not vulnerable.
2016-06-30 PacketShaper S-Series 11.6 is not vulnerable.
2016-06-26 A fix for PacketShaper S-Series 11.x is available in 11.3.1.2.  PacketShaper S-Series 11.4 and 11.5 are not vulnerable.
2016-06-07 Reporter 9.5 for Windows is vulnerable and a fix is available in 9.5.3.  Reporter 9.5 for Linux and Reporter 10.1 are not vulnerable.
2016-05-26 Corrected the listed vulnerable CVEs for MC.  A fix is available in MC 1.4.1.1.  MC 1.5 is not vulnerable.  IntelligenceCenter is not vulnerable.  IntelligenceCenter Data Collector is under investigation.
2016-05-24 PolicyCenter S-Series is not vulnerable.
2016-05-21 General Auth Connector Login Application and K9 are not vulnerable.
2016-05-20 CAS 1.3 is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-23 Mail Threat Defense is not vulnerable.
2015-12-02 All fixes are available for Security Analytics
2015-10-02 Fixes are available for ProxyAV; SSLV is not vunerable to CVE-2014-3513; SSLV fix for 3.8 is available in 3.8.3
2015-10-01 Fix is available in SGOS 6.2 and 6.5.2
2015-09-30 Fix is available in CAS 1.1
2015-07-26 Fix is available for CacheFlow
2015-03-12 Fixes available for Security Analytics; clarified which CVE PacketShaper and PolicyCenter are vulnerable to
2015-03-11 Listed the CVEs ProxyAV is vulnerable to
2015-03-10 SGOS 6.2 is not vulnerable to CVE-2014-3513; fixes will not be provided for SGOS 6.4 and 5.5; fix is available for Director
2015-03-04 PacketShaper and PolicyCenter are vulnerable and fixes are available for 9.2, no fixes will be provided for 8.7; AuthConnector is not vulnerable
2015-03-03 ProxyAV ConLog and ConLogXP are not vulnerable; fix available for SSLV 3.8
2015-02-24 Reporter is vulnerable; fix is available for SGOS 6.5
2015-02-23 Clarified BCAAA vulnerability information
2015-02-20 Fixes are available for Norman Shark products; BCAAA is vulnerable, no fixes will be provided
2015-02-19 CacheFlow is vulnerable, SGOS 5.5 is vulnerable, PacketShaper S-Series is vulnerable.
2015-02-17 No fix is available at this time for SSLV 3.5.2
2015-01-26 Clarification that CAS 1.1.x and 1.2.x are vulnerable
2015-01-21 CAS 1.1.x is vulnerable and a fix is available
2014-01-14 Initial public release