SA128 : Multiple PCRE Vulnerabilities

SSL Visibility Appliance Software

0 more products

1374

02 March 2022

07 July 2016

OPEN

HIGH

CVSS v2: 9.0

SUMMARY

Blue Coat products that include vulnerable versions of the PCRE and GLib2 libraries are susceptible to multiple vulnerabilities.  A remote attacker can exploit these vulnerabilities to execute arbitrary code and obtain sensitive information.  The attacker can also cause denial of service through application crashes, buffer overflows, integer overflows, and excessive CPU consumption.

AFFECTED PRODUCTS 

The following products are vulnerable:

Advanced Secure Gateway (ASG)
CVE Affected Version(s) Remediation
CVE-2015-8381, CVE-2015-8383,
CVE-2015-8384, CVE-2015-8389,
CVE-2015-8392, CVE-2015-8395,
CVE-2016-1283
6.7 and later Not vulnerable, fixed in 6.7.2.1
6.6 (vulnerable) Upgrade to 6.6.5.1.
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191
7.2 and later (not vulnerable to known vectors of attack) Not available at this time
7.1 Upgrade to later release with fixes. 
6.6 (vulnerable) Upgrade to 6.6.5.1.
CVE-2015-8380, CVE-2015-8391,
CVE-2015-8393
7.1 Upgrade to later release with fixes.
6.7 starting with 6.7.4.2, 7.2 and later (not vulnerable to known vectors of attack) Not available at this time
6.7 prior to 6.7.4.2 Not vulnerable, fixed.
6.6 (vulnerable) Upgrade to 6.6.5.1.

 

CacheFlow
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8387,
CVE-2015-8394
3.4 Fixed in 3.4.2.9

 

Director
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8386 6.1 Upgrade to a version of MC with the fixes.

 

Norman Shark Network Protection (NNP)
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8387, CVE-2015-8388,
CVE-2015-8390, CVE-2015-8393,
CVE-2015-8394
5.3 Upgrade to 5.3.6.

 

ProxySG
CVE Affected Version(s) Remediation
All CVEs 6.7 Not vulnerable, fixed in 6.7.1.1.
6.6 Upgrade to 6.6.5.1.
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191
6.5 Upgrade to 6.5.9.11.

 

Security Analytics
CVE Affected Version(s) Remediation
CVE-2015-8380, CVE-2015-8385,
CVE-2015-8388, CVE-2015-8391,
CVE-2015-8392, CVE-2015-8393,
CVE-2016-3191
8.1, 8.2 Not available at this time
7.3 starting with 7.3.2, 8.0 Upgrade to later release with fixes.
7.3.1 Not vulnerable, fixed.
7.2 Upgrade to 7.2.2.
6.6, 7.1 Not vulnerable
CVE-2015-8382, CVE-2015-8386,
CVE-2015-8387, CVE-2015-8390,
CVE-2015-8394
8.1, 8.2 Not available at this time
7.3 starting with 7.3.2, 8.0 Upgrade to later release with fixes.
7.3.1 Not vulnerable, fixed
7.2 Upgrade to 7.2.2.
6.6, 7.1 Upgrade to later release with fixes.

 

X-Series XOS
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8388,
CVE-2016-3191
9.7, 10.0, 11.0 A fix will not be provided.

 

The following products contain vulnerable versions of the PCRE or GLib2 libraries, but are not vulnerable to known vectors of attack:

Content Analysis System (CAS)
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191
2.4 and later Not available at this time
1.3, 2.1, 2.2, 2.3 Upgrade to later release with fixes.
CVE-2015-8380, CVE-2015-8391,
CVE-2015-8393
3.0 and later Not available at this time
1.3, 2.2, 2.2, 2.3, 2.4 Not vulnerable

 

Integrated Security Gateway (ISG)
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8391, CVE-2015-8393,
CVE-2015-8394, CVE-2016-3191
2.1, 2.2, 2.3 Not available at this time

 

Mail Threat Defense (MTD)
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191
1.1 Upgrade to a version of CAS and SMG with the fixes.

 

Malware Analysis Appliance (MAA)
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8387, CVE-2015-8388,
CVE-2015-8390, CVE-2015-8393,
CVE-2015-8394
4.2 Upgrade to 4.2.10.

 

Management Center (MC)
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191
3.1 and later Not available at this time
1.5 - 3.0 Upgrade to later release with fixes.

 

Norman Shark Industrial Control System Protection (ICSP)
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8387, CVE-2015-8388,
CVE-2015-8390, CVE-2015-8393,
CVE-2015-8394
5.3 Upgrade to 5.3.6.

 

Norman Shark SCADA Protection (NSP)
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8387, CVE-2015-8388,
CVE-2015-8390, CVE-2015-8393,
CVE-2015-8394
5.3 Upgrade to 5.3.6.

 

PacketShaper (PS)
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8386,
CVE-2015-8387, CVE-2015-8390,
CVE-2015-8394
9.2 Allot Secure Service Gateway (SSG) is a replacement product for PacketShaper. Switch to a version of SSG with the vulnerability fixes.

 

PacketShaper (PS) S-Series
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191
11.2 and later Allot Secure Service Gateway (SSG) is a replacement product for PacketShaper S-Series. Switch to a version of SSG with the vulnerability fixes.

 

PolicyCenter (PC)
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8386,
CVE-2015-8387, CVE-2015-8390,
CVE-2015-8394
9.2 Allot NetXplorer is a replacement product for PolicyCenter. Switch to a version of NetXplorer with the vulnerability fixes.

 

PolicyCenter (PC) S-Series
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191
1.1 Allot NetXplorer is a replacement product for PolicyCenter S-Series. Switch to a version of NetXplorer with the vulnerability fixes.

 

Reporter
CVE Affected Version(s) Remediation
CVE-2015-8380, CVE-2015-8391,
CVE-2015-8393
10.6, 11.0 Not available at this time
10.3, 10.4, 10.5 Upgrade to later release with fixes.
10.1, 10.2 Not vulnerable
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191
10.6, 11.0 Not available at this time
10.1, 10.2, 10.3, 10.4, 10.5 Upgrade to later release with fixes.
9.4, 9.5 Not vulnerable

 

SSL Visibility (SSLV)
CVE Affected Version(s) Remediation
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8386, CVE-2015-8387,
CVE-2015-8388, CVE-2015-8390,
CVE-2015-8394, CVE-2016-3191
4.5, 5.2 and later Not available at this time
4.0 - 4.4, 5.0 Upgrade to later release with fixes.
CVE-2015-8380, CVE-2015-8391,
CVE-2015-8393
5.0 Upgrade to later release with fixes.
4.5, 5.2 and later Not available at this time
4.0 - 4.4 Not vulnerable
CVE-2015-8382, CVE-2015-8385,
CVE-2015-8387, CVE-2015-8390,
CVE-2015-8393, CVE-2015-8394
3.10 and later Not vulnerable, fixed in 3.10.1.1
3.9 Upgrade to 3.9.4.1.
3.8.4FC Upgrade to later releases with fixes.

 

ADDITIONAL PRODUCT INFORMATION

ASG has multiple instances of the PCRE library. ASG is vulnerable prior to 6.6.5.1. The vulnerabilities are only exploitable in ASG when a malicious authenticated administrator with write access adds crafted regular expressions to policy. ASG versions starting with 6.6.5.1 only have vulnerable versions of the PCRE and GLib2 libraries, but they are not vulnerable to known vectors of attack.

The vulnerabilities are only exploitable in Director when a malicious authenticated administrator passes crafted regular expressions as arguments to CLI commands.

The vulnerabilities are only exploitable in ProxySG when a malicious authenticated administrator with write access adds crafted regular expressions to policy.

Some Blue Coat products do not accept regular expression patterns from untrusted sources and do not use the pcregrep utility.  The products listed below include vulnerable versions of the PCRE or GLib2 libraries, but are not known to be vulnerable to the CVEs below.  However, fixes for these CVEs will be included in the patches that are provided.

  • ASG: CVE-2015-8380, CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394, CVE-2016-3191
  • CAS: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
  • ISG: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390,  CVE-2015-8391, CVE-2015-8393, CVE-2015-8394, CVE-2016-3191
  • MTD: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
  • MAA: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, and CVE-2015-8394
  • MC: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
  • ICSP: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, and CVE-2015-8394
  • NSP: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, and CVE-2015-8394
  • PS: CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394
  • PC: CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394
  • Reporter 10.x: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
  • SSLV 3.x: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8390, CVE-2015-8393 and CVE-2015-8394
  • SSLV 4.0: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, CVE-2016-3191
  • XOS 9.7: CVE-2015-8380, CVE-2015-8381, CVE-2015-8383, CVE-2015-8384, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8392, CVE-2015-8393, CVE-2015-8394, CVE-2015-8395, and CVE-2016-1283

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
Unified Agent
Web Isolation
WSS Agent

Information about the following products is not available. NetDialog NetX is a replacement product for IntelligenceCenter.
IntelligenceCenter
IntelligenceCenter Data Collector

Blue Coat no longer provides vulnerability information for the following products:

DLP

Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

 

CVE-2015-8380
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 77695 / NVD: CVE-2015-8380
Impact Denial of service, unspecified other impact
Description A flaw in regular expression execution allows a remote attacker to cause a heap-based buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

 

CVE-2015-8381
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 76187 / NVD: CVE-2015-8381
Impact Denial of service, unspecified other impact
Description A flaw in group reference handling allows a remote attacker to cause a heap-based buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

 

CVE-2015-8382
Severity / CVSSv2 Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
References SecurityFocus: BID 76157 / NVD: CVE-2015-8382
Impact Information disclosure, denial of service
Description A flaw in regular expression execution allows a remote attacker to obtain sensitive information from the target's memory or cause denial of service through application crashes.

 

CVE-2015-8383
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 79810 / NVD: CVE-2015-8383
Impact Denial of service, unspecified other impact
Description A flaw in repeated conditional group handling allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

 

CVE-2015-8384
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 85555 / NVD: CVE-2015-8384
Impact Denial of service, unspecified other impact
Description A flaw in recursive back reference handling allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

 

CVE-2015-8385
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 85572 / NVD: CVE-2015-8385
Impact Denial of service, unspecified other impact
Description A flaw in forward reference handling allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

 

CVE-2015-8386
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 82990 / NVD: CVE-2015-8386
Impact Denial of service, unspecified other impact
Description A flaw in lookbehind assertion and mutually recursive subpattern handling allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

 

CVE-2015-8387
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 82990 / NVD: CVE-2015-8387
Impact Denial of service, unspecified other impact.
Description A flaw in subroutine call handling allows a remote attacker to cause an integer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

 

CVE-2015-8388
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 85576 / NVD: CVE-2015-8388
Impact Denial of service, unspecified other impact
Description A flaw in unmatched closing parenthesis handling allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

 

CVE-2015-8389
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 82990 / NVD: CVE-2015-8389
Impact Denial of service, unspecified other impact
Description A flaw in pattern handling allows a remote attacker to cause infinite recursion via a crafted regular expression, resulting in denial of service or unspecified other impact.

 

CVE-2015-8390
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 82990 / NVD: CVE-2015-8390
Impact Denial of service, unspecified other impact
Description A flaw in character class handling allows a remote attacker to cause uninitialized memory reads via a crafted regular expression, resulting in denial of service or unspecified other impact.

 

CVE-2015-8391
Severity / CVSSv2 High / 9.0 (AV:N/AC:L/Au:N/C:P/I:P/A:C)
References SecurityFocus: BID 82990 / NVD: CVE-2015-8391
Impact Denial of service, unspecified other impact
Description A flaw in nesting handling allows a remote attacker to cause excessive CPU consumption via a crafted regular expression, resulting in denial of service or unspecified other impact.

 

CVE-2015-8392
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 85573 / NVD: CVE-2015-8392
Impact Denial of service, unspecified other impact
Description A flaw in substring handling allows a remote attacker to cause a buffer overflow and unintended recursion via a crafted regular expression, resulting in denial of service or unspecified other impact.

 

CVE-2015-8393
Severity / CVSSv2 Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
References SecurityFocus: BID 82990 / NVD: CVE-2015-8393
Impact Information disclosure
Description A flaw in the pcregrep utility allows a remote attacker to obtain sensitive information via a crafted binary file.

 

CVE-2015-8394
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 82990 / NVD: CVE-2015-8394
Impact Denial of service, unspecified other impact
Description A flaw in condition handling allows a remote attacker to cause an integer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

 

CVE-2015-8395
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 85545 / NVD: CVE-2015-8395
Impact Denial of service, unspecified other impact
Description A flaw in reference handling allows a remote attacker to cause denial of service or unspecified other impact via a crafted regular expression.

 

CVE-2016-1283
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 79825 / NVD: CVE-2016-1283
Impact Denial of service, unspecified other impact
Description A flaw in named subgroup handling allows a remote attacker to cause heap-based buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact.

 

CVE-2016-3191
Severity / CVSSv2 High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 84810 / NVD: CVE-2016-3191
Impact Code execution, denial of service
Description A flaw in substring and nested parenthesis handling allows a remote attacker to cause stack-based buffer overflow via a crafted regular expression, resulting in arbitrary code execution or denial of service.

 

MITIGATION

These CVEs can be exploited in ASG and ProxySG 6.6 only by authenticated administrator users with write access.  Restricting the administrator users that have write access reduces the threat of exploiting the vulnerabilities.

These CVEs can be exploited in ASG, Director, and ProxySG only through their management interfaces.  Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

REVISION

2022-03-02 SSLV 5.2 and later are vulnerable to all applicable CVEs.
2022-02-16 A fix for Reporter 10.5 will not be provided.  Please upgrade to a later version with the vulnerability fixes. 
2021-08-27 WSS Agent is not vulnerable.
2021-06-07 A fix for SSLV 5.0 will not be provided.  Please upgrade to a later version with the vulnerability fixes. 
2021-06-01 A fix for MC 3.0 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2021-05-03 ISG 2.1, 2.2, and 2.3 have a vulnerable version of the PCRE library, but is not vulnerable to known vectors of attack.
2021-02-17 A fix for MC 2.4 and CA 2.3 will not be provided.  Please upgrade to a later version with the vulnerability fixes. 
2020-12-09 A fix for ASG 7.1 will not be provided.  Please upgrade to a later version with the vulnerability fixes. 
2020-11-17 A fix for MTD 1.1 will not be provided.  Please upgrade to a version of CAS and SMG with the vulnerability fixes.  A fix for SA 7.3 and 8.0 will not be provided.  Please upgrade to a later version with the vulnerability fixes.  A fix for XOS 9.7, 10.0, and 11.0 will not be provided.  A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.  A fix for Reporter 10.4 will not be provided.  Please upgrade to a later version with the vulnerability fixes. 
2020-11-12 Content Analysis 3.1 contains vulnerable versions of the PCRE or GLib2 libraries, but is not vulnerable to known vectors of attack.
2020-08-19 A fix for MC 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-04-27 Provided corrected vulnerability information for Content Analysis, Mail Threat Defense, Management Center, PacketShaper S-Series, PolicyCenter S-Series, Reporter, Security Analytics, and SSL Visibility.
2020-04-26 Provided corrected vulnerability information for Advanced Secure Gateway. Information about IntelligenceCenter and IntelligenceCenter Data Collector is not available. NetDialog NetX is a replacement product for IntelligenceCenter.
2020-04-04 A fix for PacketShaper S-Series and PolicyCenter S-Series will not be provided.  Allot Secure Service Gateway (SGG) is a replacement product for PacketShaper S-Series. Please switch to a version of SSG with the vulnerability fixes. A fix for PolicyCenter S-Series will not be provided. Allot NetXplorer is a replacement product PolicyCenter S-Series. Please switch to a version of NetXplorer with the vulnerability fixes.
2019-10-10 A fix will not be provided for PacketShaper 9.2.  Please upgrade to a version of PacketShaper S-Series with the vulnerability fixes.  A fix will not be provided for PolicyCenter 9.2.  Please upgrade to a version of PolicyCenter S-Series with the vulnerability fixes.
2019-10-03 Web Isolation is not vulnerable.
2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-29 Reporter 10.4 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2019-08-12 MC 2.2 and MC 2.3 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attack. A fix for MC 2.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for Reporter 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for SSLV 4.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-02-04 A fix for CA 1.3 and 2.2 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2019-01-21 SA 7.3 starting with 7.3.2 and 8.0 are vulnerable.
2019-01-14 SSLV 4.4 and 5.0 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attack.
2019-01-14 Reporter 10.3 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2019-01-11 A fix for CA 2.1 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-09-24 A fix for SSLV 3.8.4FC will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-07-26 MC 2.0 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2018-07-24 A fix for CacheFlow 3.4 is available in 3.4.2.9.
2018-06-26 A fix for CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, CVE-2016-3191 in SSLV 4.1 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-04-26 A fix for SSLV 4.0 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-04-25 A fix for XOS 9.7 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CA 2.3, PacketShaper S-Series 11.10, and Reporter 10.2 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attack.
2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 4.2 has vulnerable versions of PCRE, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2017-11-08 CAS 2.2 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2017-11-07 MC 1.11 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.  A fix for MC 1.10 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-06 ASG 6.6 prior to 6.6.5.1 is vulnerable to all CVEs.  ASG 6.6 starting with 6.6.5.1 and 6.7 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attacks.
2017-10-26 It was previously reported that CacheFlow 3.4 is vulnerable to CVE-2015-8386 and CVE-2015-8390.  Further investigation has shown that CacheFlow 3.4 is not vulnerable to these CVEs.
2017-08-03 SSLV 4.1 has vulnerable version of PCRE, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2017-07-25 PS S-Series 11.9 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2017-07-21 MC 1.10 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack. A fix for MC 1.9 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PS S-Series 11.8 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2017-05-29 A fix for Security Analytics 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-05-18 CAS 2.1 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2017-03-30 MC 1.9 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2017-03-08 MC 1.6, MC 1.7, MC 1.8, and SSLV 4.0 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attack.  ProxySG 6.7 is not vulnerable.  Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2017-01-25 A fix for Security Analytics 7.2 is available in 7.2.2.
2016-12-03 PS S-Series 11.7 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2016-12-03 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-11-03 A fix for MAA is available in 4.2.10.  A fix for ProxySG 6.6 is avaialble in 6.6.5.1.
2016-09-09 A fix for ProxySG 6.5 is available in 6.5.9.11.
2016-08-12 Security Analytics 7.2 is vulnerable to CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394.
2016-08-10 A fix for SSLV 3.9 is available in 3.9.4.1.
2016-07-12 Reporter 9.4 and 9.5 are not vulnerable.
2016-07-11 MAA 4.2 has a vulnerable version of PCRE, but is not vulnerable to known vectors of attack.
2016-07-07 initial public release