SA92 : OpenSSL Security Advisory 19-Mar-2015

IntelligenceCenter

5 more products

1323

04 May 2021

16 June 2015

CLOSED

HIGH

CVSS v2: 7.5

SUMMARY

Blue Coat products using affected versions of OpenSSL 1.0.2, 1.0.1, 1.0.0, and 0.9.8 are vulnerable to multiple vulnerabilities. A remote attacker may exploit these vulnerabilities to cause a denial of service, memory corruption, or to decrypt an encrypted session more easily using brute force techniques.

AFFECTED PRODUCTS

The following products are vulnerable:

Android Mobile Agent
Android Mobile Agent 1.x prior to 1.3.8 is vulnerable to:  CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, andCVE-2015-0292.

BCAAA
BCAAA 5.5 and 6.1 are vulnerable to CVE-2015-0286 when configured to use the CoreID or the Novell SSO SDKs. 

CacheFlow
CacheFlow 2.2 and 3.4 prior to 3.4.2.2 are vulnerable to CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and CVE-2015-0293. 

Client Connector
All versions of Client Connector for Windows are vulnerable to CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, and CVE-2015-0292.  Client Connector for OS X is not vulnerable.

Content Analysis System
CAS 1.1 prior to 1.1.5.6 and CAS 1.2 prior to 1.2.3.1 are vulnerable to CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and CVE-2015-0293.  CAS 1.3 and later releases are not vulnerable.

Director
Director 6.1 prior to 6.1.19.1 is vulnerable to CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and CVE-2015-0293. 

IntelligenceCenter
IntelligenceCenter 3.2 and 3.3 are vulnerable to CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and CVE-2015-0293.

IntelligenceCenter Data Collector
IntelligenceCenter Data Collector 3.2 and 3.3 are vulnerable to CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and CVE-2015-0293.

Malware Analysis Appliance
MAA 4.1 and 4.2 prior to 4.2.5 are vulnerable to CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, and CVE-2015-0292.  CVE-2015-0209 and CVE-2015-0286 can only be exploited by using the command line interface.

Malware Analyzer G2
All versions of MAG2 are vulnerable to CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, and CVE-2015-0292.

Management Center
Management Center versions prior to 1.3.3.2 are vulnerable to CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, and CVE-2015-0292.  MC 1.4 and later releases are not vulnerable.

Norman Shark Industrial Control System Protection
ICSP 5.3 prior to 5.3.4 is vulnerable to CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, and CVE-2015-0292.  CVE-2015-0209 and CVE-2015-0288 can only be exploited using the command line interface.

Norman Shark Network Protection
NNP 5.2 and 5.3 prior to 5.3.4 are vulnerable to CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, and CVE-2015-0292.  CVE-2015-0209 and CVE-2015-0288 can only be exploited using the command line interface.

Norman Shark SCADA Protection
NSP 5.2 and 5.3 prior to 5.3.4 are vulnerable to CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, and CVE-2015-0292.  CVE-2015-0209 and CVE-2015-0288 can only be exploited using the command line interface.

OPIC
All versions of OPIC are vulnerable to CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, and CVE-2015-0292.

PacketShaper
PacketShaper 9.2 prior to 9.2.13p1 is vulnerable to CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and CVE-2015-0293.

PacketShaper S-Series
PS S-Series 11.2, and 11.3 prior to 11.3.1.2 are vulnerable to CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and CVE-2015-0293.  PS S-Series 11.4 and later releases are not vulnerable.

PolicyCenter
PolicyCenter 9.2 prior to 9.2.13p1 is vulnerable to CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and CVE-2015-0293

ProxyAV
ProxyAV 3.4 prior to 3.4.3.1 and 3.5 prior to 3.5.3.2 are vulnerable to CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, and CVE-2015-0293.

ProxyClient
ProxyClient 3.4 for Windows is vulnerable to CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, and CVE-2015-0292.  ProxyClient for OS X is not vulnerable.

ProxySG
SGOS 6.2 prior to 6.2.16.4, 6.5 prior to 6.5.7.5, and 6.6 prior to 6.6.2.1 are vulnerable to CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and CVE-2015-0293.  SGOS 6.7 is not vulnerable.

Reporter
The ISO version of Reporter (Virtualized Reporter) 9.4 is vulnerable to CVE-2015-0286, CVE-2015-0287, and CVE-2015-0288. 
Reporter for Windows 9.4 and 9.5 prior to 9.5.3 are vulnerable to CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, and CVE-2015-0293.
Reporter for Linux does not install OpenSSL and thus is not vulnerable. Please see advisory details below.
Reporter 10.1 is not vulnerable.

Security Analytics Platform
SA 6.6, 7.0, and 7.1 prior to 7.1.8 are vulnerable to CVE-2015-0209, CVE-2015-0286, and CVE-2015-0288.  SA 7.0.1 is also vulnerable to CVE-2015-0292.  SA 7.2 and later releases are not vulnerable.

SSL Visibility
SSLV 3.7 and 3.8 prior to 3.8.3-120 are vulnerable to CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0289, and CVE-2015-0292.  SSLV 3.8.4FC and later versions are not vulnerable.

Unified Agent
Unified Agent 4.1 is vulnerable to CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, and CVE-2015-0292.  Unified agent 4.5, 4.6, and 4.7 are not vulnerable to any CVEs.

X-Series XOS
XOS 9.6, 9.7, 10.0 prior to 10.0.6, and 11.0 prior to 11.0.2 are not known to be vulnerable to any CVEs, but does include vulnerable versions of OpenSSL. See Advisory Details for more information.

Patches

Android Mobile Agent
Android Mobile Agent 1.3 - a fix is available in 1.3.8.

BCAAA
BCAAA 6.1 - a fix will not be provided. CoreID is no longer supported and an updated Novell SDK is not available. Please contact CoreID and Novell for more information.
BCAAA 5.5 - a fix will not be provided. CoreID is no longer supported and an updated Novell SDK is not available. Please contact CoreID and Novell for more information.

CacheFlow
CacheFlow 3.4 - a fix is available in 3.4.2.2.
CacheFlow 2.2 - a fix will not be provided. Please upgrade to a later version with the vulnerability fixes.

Client Connector 
1.x - a fix will not be provided.  Please upgrade to the latest version of Unified Agent with the vulnerability fixes.

Content Analysis System
CAS 1.2 - a fix is available in 1.2.3.1.
CAS 1.1 - a fix is available in 1.1.5.6.

Director
Director 6.1 - a fix for CVE-2015-0292 only is available is 6.1.18.1.  A fix for all CVEs is available in 6.1.19.1.

IntelligenceCenter
IC 3.3 - a fix will not be provided.  NetDialog NetX is a replacement product for IntelligenceCenter.  Please upgrade to a version of NetX with the fixes.
IC 3.2 - a fix will not be provided.  Please upgrade to a a later version with the vulnerability fixes.

IntelligenceCenter Data Collector
DC 3.3 - a fix will not be provided.  NetDialog NetX is a replacement product for IntelligenceCenter.  Please upgrade to a version of NetX with the fixes.
DC 3.2 - a fix will not be provided.  Please upgrade to a a later version with the vulnerability fixes.

Malware Analysis Appliance
MAA 4.2 - a fix for all vulnerabilities is available in 4.2.5.
MAA 4.1 - a fix will not be provided.  Please upgrade to a a later version with the vulnerability fixes.

Malware Analyzer G2
MAG2 4.1 and prior – please upgrade to a version of MAA with the vulnerability fixes.

Management Center
MC 1.3 - a fix is available in 1.3.3.2..
MC 1.2 and earlier - a fix will not be provided.  Please upgrade to a a later version with the vulnerability fixes.

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is available in 5.3.4.

Norman Shark Network Protection
NNP 5.3 - a fix is available in 5.3.4..
NNP 5.2 - a fix will not be provided.  Please upgrade to a a later version with the vulnerability fixes.

Norman Shark SCADA Protection
NSP 5.3 - a fix is available in 5.3.4.
NSP 5.2 - a fix will not be provided.  Please upgrade to a a later version with the vulnerability fixes.

OPIC
OPIC 1.x - a fix will not be provided.  Please contact Blue Coat Support to request a fix.

PacketShaper
PacketShaper 9.2 - a fix is available in 9.2.13p1.

PacketShaper S-Series
PS S-Series 11.3 - a fix is available in 11.3.1.2.
PS S-Series 11.2 - a fix will not be provided.  Please upgrade to a a later version with the vulnerability fixes.

PolicyCenter
PolicyCenter 9.2 - a fix is available in 9.2.13p1.

ProxyAV
ProxyAV 3.5 - a fix is available in 3.5.3.2.
ProxyAV 3.4 - a fix is available in 3.4.3.1.

ProxyClient
ProxyClient for Windows X 3.4 and prior - a fix will not be provided.  Please upgrade to the latest version of Unified Agent with the vulnerability fixes.

ProxySG
SGOS 6.6 - a fix is available in 6.6.2.1.
SGOS 6.5 - a fix is available in 6.5.7.5.
SGOS 6.2 - a fix is available in 6.2.16.4.

Reporter
Reporter 9.5 - a fix is available in 9.5.3.
Reporter 9.4 - a fix will not be provided. Please upgrade to a later version with the vulnerability fixes.

Security Analytics Platform
SA 7.1 - a fix is available in 7.1.8.
SA 7.0 - a patch RPM to update the version of OpenSSL is available through Blue Coat Support.
SA 6.6 - a patch RPM to update the version of OpenSSL is available through Blue Coat Support.

SSL Visibility
SSLV 3.8 - a fix is available in 3.8.3-120.
SSLV 3.8.2f - a fix will not be provided.  Please upgrade to a later version with the vulnerability fix.
SSLV 3.7 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fix.

Unified Agent
UA 4.1 - a fix will not be provided.  Please upgrade to 4.5 or a later version.

X-Series XOS
XOS 11.0 - a fix is available in 11.0.2.
XOS 10.0 - a fix is available in 10.0.6.
XOS 9.7 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
XOS 9.6 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

ADDITIONAL PRODUCT INFORMATION

Blue Coat products may act as both client and server in SSL/TLS connections, and may use application functionality for cryptographic operations.  Blue Coat products act as a client when connecting to Blue Coat services such as WebPulse, DRTR, and licensing and subscription services. Products should be considered vulnerable in all interfaces that provide SSL/TLS connections for data and management interfaces unless the CVE is specific to SSL/TLS client or server functionality (as noted in the descriptions above) or unless otherwise stated below: 

  • CAS:  CVE-2015-0286 affects web management, ICAP, subscriptions, licensing, whitelisting, and communication with MAA
  • MAA/MAG2:  CVE-2015-0286, CVE-2015-0287, and CVE-2015-0289 affects REST API and management interfaces.
  • ProxyAV:  CVE-2015-0286 affects web management, ICAP, AV pattern updates, licensing, and firmware updates
  • ProxySG:  CVE-2015-0288 affects only system upgrades.  CVE-2015-0289 affects system upgrades and downgrades and trust package updates.  CVE-2015-0293 affects management interfaces, client connections, forward and reverse proxy interfaces.
  • SSLV:  CVE-2015-0286 affects data and management planes

Blue Coat products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Blue Coat urges our customers to update the versions of OpenSSL that are natively installed for Reporter on Linux, Unified Agent on Linux, and ProxyClient.

Blue Coat products do not enable or use all functionality within OpenSSL. Products that do not utilize or enable the functionality described in a CVE are not vulnerable to that CVE. However, fixes for those CVEs will be included in the patches that are provided. The following products include vulnerable versions of OpenSSL, but do not use the functionality described in the CVEs and are not known to be vulnerable.

  • Android Mobile Agent:  CVE-2015-0209, CVE-2015-0288, and CVE-2015-0293
  • BCAAA:  CVE-2015-0209, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and CVE-2015-0293
  • CacheFlow: CVE-2015-0209
  • Client Connector:  CVE-2015-0209, CVE-2015-0288, and CVE-2015-0293
  • Content Analysis System: CVE-2015-0209
  • Director: CVE-2015-0209
  • IntelligenceCenter:  none
  • Malware Analysis Appliance:  CVE-2015-0293 (export ciphers are not enabled)
  • Malware Analyzer G2:  CVE-2015-0293 (export ciphers are not enabled)
  • Management Center:  CVE-2015-0293 (SSLv2 and export ciphers are not enabled)
  • Norman Shark Industrial Control System Protection:  CVE-2015-0293 (export ciphers are not enabled)
  • Norman Shark Network Protection:  CVE-2015-0293 (export ciphers are not enabled)
  • Norman Shark SCADA Protection:  CVE-2015-0293 (export ciphers are not enabled)
  • OPIC:  CVE-2015-0209, CVE-2015-0288, and CVE-2015-0293
  • PacketShaper:  none
  • PacketShaper S-Series:  none
  • PolicyCenter:  none
  • ProxyAV:  CVE-2015-0288
  • ProxyClient:  CVE-2015-0209, CVE-2015-0288, and CVE-2015-0293
  • ProxySG:  CVE-2015-0209
  • Reporter for Windows and ISO versions:  CVE-2015-0209, CVE-2015-0289, and CVE-2015-0292
  • Security Analytics Platform:  CVE-2015-0287, CVE-2015-0289, and CVE-2015-0293 (SSLv2 is not enabled)
  • SSL Visibility:  CVE-2015-0288, CVE-2015-0293 (SSLv2 is not enabled)
  • Unified Agent:  CVE-2015-0209 and CVE-2015-0293 (4.1 only)
  • X-Series XOS:  CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0292, and CVE-2015-0293

The following products are not vulnerable:
Advanced Secure Gateway
Auth Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
Mail Threat Defense
PolicyCenter S-Series
ProxyAV ConLog and ConLogXP

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2015-0207 - CVSS v2 base score 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2015-0208 - CVSS v2 base score 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CVE-2015-0209 - CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2015-0285 - CVSS v2 base score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-2015-0286 - CVSS v2 base score 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2015-0287 - CVSS v2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2015-0288 - CVSS v2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2015-0287 - CVSS v2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2015-0288 - CVSS v2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2015-0289 - CVSS v2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2015-0290 - CVSS v2 base score 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2015-0291 - CVSS v2 base score 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2015-0292 - CVSS v2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-0293 - CVSS v2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2015-1787 - CVSS v2 base score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)
CVE-2015-0289 - CVSS v2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2015-0290 - CVSS v2 base score 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2015-0291 - CVSS v2 base score 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2015-0292 - CVSS v2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2015-0293 - CVSS v2 base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2015-1787 - CVSS v2 base score: 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P)

Thirteen vulnerabilities were announced in OpenSSL Security Advisory March 19, 2015.

  • CVE-2015-0207 is a flaw in DTLS that allows an attacker to cause a crash in a server listening for client connections. This vulnerability affects OpenSSL 1.0.2 before 1.0.2a.
  • CVE-2015-0208 is a flaw in ASN.1 certificate verification that allows an attacker to send a crafted ASN.1 signature to a client or server and cause a crash. This vulnerability affects OpenSSL 1.0.2 before 1.0.2a.
  • CVE-2015-0209 is a flaw in importing elliptic curve (EC) private key files that allows an attacker sending a malformed file to cause memory corruption and crashes. This vulnerability affects applications importing EC private keys from untrusted sources that are using OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a.
  • CVE-2015-0285 is a flaw in the client that allows a handshake to proceed without ensuring that the pseudo random number generator (PRNG) has been seeded with sufficient entropy. If the handshake succeeds, an attacker who can capture the network traffic can use brute force to decrypt the encrypted session. This vulnerability affects clients using OpenSSL 1.0.2 before 1.0.2a.
  • CVE-2015-0286 is a flaw in the ASN.1 certificate verification that allows an attacker to send a crafted X.509 certificate to a client or server which will cause a crash when the certificate is verified. This vulnerability affects OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a.
  • CVE-2015-0287 is a flaw in ASN.1 parsing that allows an attacker to provide crafted ASN.1 encoded data which will cause a crash when decoded. This vulnerability does not affect certificates that are parsed, or OpenSSL clients and servers. This vulnerability affects OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a.
  • CVE-2015-0288 is a flaw in the creation of a new certificate request from an existing certificate allows an attacker sending an invalid certificate to the application to cause a crash.  This vulnerability affects applications accepting untrusted certificates to create new certificate requests that use OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a.
  • CVE-2015-0289 is a flaw in PKCS#7 parsing that allows an attacker to create malformed ASN.1 encoded data which will cause a crash when decoded.  This vulnerability affects applications that verify PKCS#7 signatures, decrypt PKCS#7 data, or parse PKCS#7 data from untrusted sources.  This vulnerability affects OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a.
  • CVE-2015-0290 is a flaw in the multiblock performance improvement that allows an attacker to cause a crash due to a NULL pointer dereference.  This vulnerability affects OpenSSL 1.0.2 before 1.0.2a on 64 bit x86 architecture platforms that support AES NI.
  • CVE-2015-0291 is a flaw in the client renegotiation implementation that allows an attacker to send an invalid signature algorithm that may cause a server crash due to a NULL pointer dereference.  The vulnerability affects OpenSSL 1.0.2 before 1.0.2a.
  • CVE-2015-0292 is a flaw in the processing of base64 data that allow an attacker to create crafted base64 encoded data that will cause memory corruption or a crash when the base64 encoded data is processed.  This vulnerability affects OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h.
  • CVE-2015-0293 allows a malicious client to cause a denial of service by sending a crafted SSLv2 message.  This vulnerability affects servers that support SSLv2 and enable export cipher suites. This vulnerability affects OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a.
  • CVE-2015-1787 allows a malicious client to cause a denial of service by sending a zero length ClientKeyExchange method message.  This vulnerability affects servers using OpenSSL 1.0.2 before 1.0.2a.

MITIGATION

CVE-2015-0293 can be remediated by ensuring that SSLv2 has been disabled and export grade ciphers are disabled.

CVE-2015-0289 and CVE-2015-0292 can be remediated by converting untrusted PKCS#7 and PEM encoded content to an alternate format prior to importing.

REFERENCES

OpenSSL Security Advisory - https://www.openssl.org/news/secadv_20150319.txt
CVE-2015-0207 - https://nvd.nist.gov/vuln/detail/CVE-2014-0207
CVE-2015-0208 - https://nvd.nist.gov/vuln/detail/CVE-2014-0208
CVE-2015-0209 - https://nvd.nist.gov/vuln/detail/CVE-2014-0209
CVE-2015-0285 - https://nvd.nist.gov/vuln/detail/CVE-2014-0285
CVE-2015-0286 - https://nvd.nist.gov/vuln/detail/CVE-2014-0286
CVE-2015-0287 - https://nvd.nist.gov/vuln/detail/CVE-2014-0287
CVE-2015-0288 - https://nvd.nist.gov/vuln/detail/CVE-2014-0288
CVE-2015-0289 - https://nvd.nist.gov/vuln/detail/CVE-2014-0289
CVE-2015-0290 - https://nvd.nist.gov/vuln/detail/CVE-2014-0290
CVE-2015-0291 - https://nvd.nist.gov/vuln/detail/CVE-2014-0291
CVE-2015-0292 - https://nvd.nist.gov/vuln/detail/CVE-2014-0292
CVE-2015-0293 - https://nvd.nist.gov/vuln/detail/CVE-2014-0293
CVE-2015-1787 - https://nvd.nist.gov/vuln/detail/CVE-2014-1787

REVISION

2019-08-16 Fixed for IntelligenceCenter 3.3 and IntelligenceCenter Data Collector 3.3 will not be provided.  NetDialog NetX is a replacement product for IntelligenceCenter.  Please upgrade to a version of NetX with the fixes.  SA status moved to Final.
2019-01-20 Security Analytics 8.0 is not vulnerable.
2019-01-17 IntelligenceCenter Data Collector 3.2 and 3.3 are vulnerable.  A fix will not be provided for IC and DC 3.2.  Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2018-04-25 A fix for XOS 9.7 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-04-22 PacketShaper S-Series 11.10 is not vulnerable.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-29 A fix for Android Mobile Agent is available in 1.3.8.
2017-05-17 CAS 2.1 is not vulnerable.
2017-03-06 MC 1.8 is not vulnerable.  ProxySG 6.7 is not vulnerable.  SSLV 4.0 is not vulnerable.
2016-12-04 PacketShaper S-Series 11.7 is not vulnerable.  SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-15 MC 1.6 and 1.7 are not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-09-15 Advanced Secure Gateway is not vulnerable.
2016-08-11 Security Analytics 7.2 is not vulnerable.
2016-08-10 Unified Agent 4.7 is not vulnerable.
2016-07-15 A fix for XOS 10.0 is available in 10.0.6.  A fix for XOS 11.0 is available in 11.0.2.
2016-07-15 SSLV 3.8.4FC and 3.9 are not vulnerable.
2016-06-30 PacketShaper S-Series 11.6 is not vulnerable.  A fix for PacketShaper S-Series 11.2 will not be provided.
2016-06-27 PacketShaper S-Series 11.4 and 11.5 are not vulnerable.
2016-06-17 It was previously reported that fixes for XOS are available in 9.6.10, 9.7.6, and 10.0.3.  Further investigation has shown that all versions of XOS still have a vulnerable version of OpenSSL, but are not vulnerable to known vectors of attack.  A fix for XOS 9.6 will not be provided.  Fixes for XOS 9.7, 10.0, and 11.0 are not available at this time.
2016-05-25 Reporter 10.1 is not vulnerable.  A fix for Reporter 9.5 is available in 9.5.3.  A fix for Reporter 9.4 will not be provided.
2016-05-24 PolicyCenter S-Series is not vulnerable.
2016-05-23 Made a correction that ProxyClient for Windows is vulnerable and ProxyClient for OS X is not vulnerable.
2016-05-21 General Auth Connector Login Application is not vulnerable.  MC 1.4 and 1.5 are not vulnerable.
2016-05-20 CAS 1.3 is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-05-06 A fix for PacketShaper 9.2 is available in 9.2.13p1.  A fix for PolicyCenter 9.2 is available in 9.2.13p1.
2016-04-23 Mail Threat Defense is not vulnerable.
2015-10-02 Fix is available for SSLV; fixes are available for ProxyAV 3.4 and 3.5
2015-10-01 Fix is available for ProxySG 6.6
2015-09-30 First fix for CAS 1.2 was in 1.2.3.1
2015-07-26 Fixes are available for Norman Shark products
2015-07-21 Reporter 9.5 is vulnerable; No fixes are available for Reporter Windows version 9.4; CacheFlow 3.4.2.2 is not vulnerable, but 3.3 is still vulnerable. No fixes will be available for CacheFlow 2.2 and is vulnerable.
2015-07-02 Fixes are available for Malware Analysis and X-Series XOS
2015-07-02 Fixes will not be provided for NNP and NSP version 5.2
2015-06-17 Fixes are available for PacketShaper S-Series
2015-06-16 Initial public release