SA128 : Multiple PCRE Vulnerabilities
1374
02 March 2022
07 July 2016
OPEN
HIGH
CVSS v2: 9.0
SUMMARY
Blue Coat products that include vulnerable versions of the PCRE and GLib2 libraries are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to execute arbitrary code and obtain sensitive information. The attacker can also cause denial of service through application crashes, buffer overflows, integer overflows, and excessive CPU consumption.
AFFECTED PRODUCTS
The following products are vulnerable:
| Advanced Secure Gateway (ASG) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8381, CVE-2015-8383, CVE-2015-8384, CVE-2015-8389, CVE-2015-8392, CVE-2015-8395, CVE-2016-1283 |
6.7 and later | Not vulnerable, fixed in 6.7.2.1 |
| 6.6 (vulnerable) | Upgrade to 6.6.5.1. | |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8394, CVE-2016-3191 |
7.2 and later (not vulnerable to known vectors of attack) | Not available at this time |
| 7.1 | Upgrade to later release with fixes. | |
| 6.6 (vulnerable) | Upgrade to 6.6.5.1. | |
| CVE-2015-8380, CVE-2015-8391, CVE-2015-8393 |
7.1 | Upgrade to later release with fixes. |
| 6.7 starting with 6.7.4.2, 7.2 and later (not vulnerable to known vectors of attack) | Not available at this time | |
| 6.7 prior to 6.7.4.2 | Not vulnerable, fixed. | |
| 6.6 (vulnerable) | Upgrade to 6.6.5.1. | |
| CacheFlow | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8387, CVE-2015-8394 |
3.4 | Fixed in 3.4.2.9 |
| Director | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8386 | 6.1 | Upgrade to a version of MC with the fixes. |
| Norman Shark Network Protection (NNP) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, CVE-2015-8394 |
5.3 | Upgrade to 5.3.6. |
| ProxySG | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs | 6.7 | Not vulnerable, fixed in 6.7.1.1. |
| 6.6 | Upgrade to 6.6.5.1. | |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8394, CVE-2016-3191 |
6.5 | Upgrade to 6.5.9.11. |
| Security Analytics | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8380, CVE-2015-8385, CVE-2015-8388, CVE-2015-8391, CVE-2015-8392, CVE-2015-8393, CVE-2016-3191 |
8.1, 8.2 | Not available at this time |
| 7.3 starting with 7.3.2, 8.0 | Upgrade to later release with fixes. | |
| 7.3.1 | Not vulnerable, fixed. | |
| 7.2 | Upgrade to 7.2.2. | |
| 6.6, 7.1 | Not vulnerable | |
| CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, CVE-2015-8394 |
8.1, 8.2 | Not available at this time |
| 7.3 starting with 7.3.2, 8.0 | Upgrade to later release with fixes. | |
| 7.3.1 | Not vulnerable, fixed | |
| 7.2 | Upgrade to 7.2.2. | |
| 6.6, 7.1 | Upgrade to later release with fixes. | |
| X-Series XOS | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, CVE-2016-3191 |
9.7, 10.0, 11.0 | A fix will not be provided. |
The following products contain vulnerable versions of the PCRE or GLib2 libraries, but are not vulnerable to known vectors of attack:
| Content Analysis System (CAS) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8394, CVE-2016-3191 |
2.4 and later | Not available at this time |
| 1.3, 2.1, 2.2, 2.3 | Upgrade to later release with fixes. | |
| CVE-2015-8380, CVE-2015-8391, CVE-2015-8393 |
3.0 and later | Not available at this time |
| 1.3, 2.2, 2.2, 2.3, 2.4 | Not vulnerable | |
| Integrated Security Gateway (ISG) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394, CVE-2016-3191 |
2.1, 2.2, 2.3 | Not available at this time |
| Mail Threat Defense (MTD) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8394, CVE-2016-3191 |
1.1 | Upgrade to a version of CAS and SMG with the fixes. |
| Malware Analysis Appliance (MAA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, CVE-2015-8394 |
4.2 | Upgrade to 4.2.10. |
| Management Center (MC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8394, CVE-2016-3191 |
3.1 and later | Not available at this time |
| 1.5 - 3.0 | Upgrade to later release with fixes. | |
| Norman Shark Industrial Control System Protection (ICSP) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, CVE-2015-8394 |
5.3 | Upgrade to 5.3.6. |
| Norman Shark SCADA Protection (NSP) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, CVE-2015-8394 |
5.3 | Upgrade to 5.3.6. |
| PacketShaper (PS) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, CVE-2015-8394 |
9.2 | Allot Secure Service Gateway (SSG) is a replacement product for PacketShaper. Switch to a version of SSG with the vulnerability fixes. |
| PacketShaper (PS) S-Series | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8394, CVE-2016-3191 |
11.2 and later | Allot Secure Service Gateway (SSG) is a replacement product for PacketShaper S-Series. Switch to a version of SSG with the vulnerability fixes. |
| PolicyCenter (PC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, CVE-2015-8394 |
9.2 | Allot NetXplorer is a replacement product for PolicyCenter. Switch to a version of NetXplorer with the vulnerability fixes. |
| PolicyCenter (PC) S-Series | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8394, CVE-2016-3191 |
1.1 | Allot NetXplorer is a replacement product for PolicyCenter S-Series. Switch to a version of NetXplorer with the vulnerability fixes. |
| Reporter | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8380, CVE-2015-8391, CVE-2015-8393 |
10.6, 11.0 | Not available at this time |
| 10.3, 10.4, 10.5 | Upgrade to later release with fixes. | |
| 10.1, 10.2 | Not vulnerable | |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8394, CVE-2016-3191 |
10.6, 11.0 | Not available at this time |
| 10.1, 10.2, 10.3, 10.4, 10.5 | Upgrade to later release with fixes. | |
| 9.4, 9.5 | Not vulnerable | |
| SSL Visibility (SSLV) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8394, CVE-2016-3191 |
4.5, 5.2 and later | Not available at this time |
| 4.0 - 4.4, 5.0 | Upgrade to later release with fixes. | |
| CVE-2015-8380, CVE-2015-8391, CVE-2015-8393 |
5.0 | Upgrade to later release with fixes. |
| 4.5, 5.2 and later | Not available at this time | |
| 4.0 - 4.4 | Not vulnerable | |
| CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8390, CVE-2015-8393, CVE-2015-8394 |
3.10 and later | Not vulnerable, fixed in 3.10.1.1 |
| 3.9 | Upgrade to 3.9.4.1. | |
| 3.8.4FC | Upgrade to later releases with fixes. | |
ADDITIONAL PRODUCT INFORMATION
ASG has multiple instances of the PCRE library. ASG is vulnerable prior to 6.6.5.1. The vulnerabilities are only exploitable in ASG when a malicious authenticated administrator with write access adds crafted regular expressions to policy. ASG versions starting with 6.6.5.1 only have vulnerable versions of the PCRE and GLib2 libraries, but they are not vulnerable to known vectors of attack.
The vulnerabilities are only exploitable in Director when a malicious authenticated administrator passes crafted regular expressions as arguments to CLI commands.
The vulnerabilities are only exploitable in ProxySG when a malicious authenticated administrator with write access adds crafted regular expressions to policy.
Some Blue Coat products do not accept regular expression patterns from untrusted sources and do not use the pcregrep utility. The products listed below include vulnerable versions of the PCRE or GLib2 libraries, but are not known to be vulnerable to the CVEs below. However, fixes for these CVEs will be included in the patches that are provided.
- ASG: CVE-2015-8380, CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394, CVE-2016-3191
- CAS: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
- ISG: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394, CVE-2016-3191
- MTD: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
- MAA: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, and CVE-2015-8394
- MC: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
- ICSP: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, and CVE-2015-8394
- NSP: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8388, CVE-2015-8390, CVE-2015-8393, and CVE-2015-8394
- PS: CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394
- PC: CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394
- Reporter 10.x: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, and CVE-2016-3191
- SSLV 3.x: CVE-2015-8382, CVE-2015-8385, CVE-2015-8387, CVE-2015-8390, CVE-2015-8393 and CVE-2015-8394
- SSLV 4.0: CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, CVE-2016-3191
- XOS 9.7: CVE-2015-8380, CVE-2015-8381, CVE-2015-8383, CVE-2015-8384, CVE-2015-8387, CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8392, CVE-2015-8393, CVE-2015-8394, CVE-2015-8395, and CVE-2016-1283
The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
Unified Agent
Web Isolation
WSS Agent
Information about the following products is not available. NetDialog NetX is a replacement product for IntelligenceCenter.
IntelligenceCenter
IntelligenceCenter Data Collector
Blue Coat no longer provides vulnerability information for the following products:
DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
ISSUES
| CVE-2015-8380 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 77695 / NVD: CVE-2015-8380 |
| Impact | Denial of service, unspecified other impact |
| Description | A flaw in regular expression execution allows a remote attacker to cause a heap-based buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. |
| CVE-2015-8381 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 76187 / NVD: CVE-2015-8381 |
| Impact | Denial of service, unspecified other impact |
| Description | A flaw in group reference handling allows a remote attacker to cause a heap-based buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. |
| CVE-2015-8382 | |
|---|---|
| Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) |
| References | SecurityFocus: BID 76157 / NVD: CVE-2015-8382 |
| Impact | Information disclosure, denial of service |
| Description | A flaw in regular expression execution allows a remote attacker to obtain sensitive information from the target's memory or cause denial of service through application crashes. |
| CVE-2015-8383 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 79810 / NVD: CVE-2015-8383 |
| Impact | Denial of service, unspecified other impact |
| Description | A flaw in repeated conditional group handling allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. |
| CVE-2015-8384 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 85555 / NVD: CVE-2015-8384 |
| Impact | Denial of service, unspecified other impact |
| Description | A flaw in recursive back reference handling allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. |
| CVE-2015-8385 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 85572 / NVD: CVE-2015-8385 |
| Impact | Denial of service, unspecified other impact |
| Description | A flaw in forward reference handling allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. |
| CVE-2015-8386 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 82990 / NVD: CVE-2015-8386 |
| Impact | Denial of service, unspecified other impact |
| Description | A flaw in lookbehind assertion and mutually recursive subpattern handling allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. |
| CVE-2015-8387 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 82990 / NVD: CVE-2015-8387 |
| Impact | Denial of service, unspecified other impact. |
| Description | A flaw in subroutine call handling allows a remote attacker to cause an integer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. |
| CVE-2015-8388 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 85576 / NVD: CVE-2015-8388 |
| Impact | Denial of service, unspecified other impact |
| Description | A flaw in unmatched closing parenthesis handling allows a remote attacker to cause a buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. |
| CVE-2015-8389 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 82990 / NVD: CVE-2015-8389 |
| Impact | Denial of service, unspecified other impact |
| Description | A flaw in pattern handling allows a remote attacker to cause infinite recursion via a crafted regular expression, resulting in denial of service or unspecified other impact. |
| CVE-2015-8390 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 82990 / NVD: CVE-2015-8390 |
| Impact | Denial of service, unspecified other impact |
| Description | A flaw in character class handling allows a remote attacker to cause uninitialized memory reads via a crafted regular expression, resulting in denial of service or unspecified other impact. |
| CVE-2015-8391 | |
|---|---|
| Severity / CVSSv2 | High / 9.0 (AV:N/AC:L/Au:N/C:P/I:P/A:C) |
| References | SecurityFocus: BID 82990 / NVD: CVE-2015-8391 |
| Impact | Denial of service, unspecified other impact |
| Description | A flaw in nesting handling allows a remote attacker to cause excessive CPU consumption via a crafted regular expression, resulting in denial of service or unspecified other impact. |
| CVE-2015-8392 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 85573 / NVD: CVE-2015-8392 |
| Impact | Denial of service, unspecified other impact |
| Description | A flaw in substring handling allows a remote attacker to cause a buffer overflow and unintended recursion via a crafted regular expression, resulting in denial of service or unspecified other impact. |
| CVE-2015-8393 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) |
| References | SecurityFocus: BID 82990 / NVD: CVE-2015-8393 |
| Impact | Information disclosure |
| Description | A flaw in the pcregrep utility allows a remote attacker to obtain sensitive information via a crafted binary file. |
| CVE-2015-8394 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 82990 / NVD: CVE-2015-8394 |
| Impact | Denial of service, unspecified other impact |
| Description | A flaw in condition handling allows a remote attacker to cause an integer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. |
| CVE-2015-8395 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 85545 / NVD: CVE-2015-8395 |
| Impact | Denial of service, unspecified other impact |
| Description | A flaw in reference handling allows a remote attacker to cause denial of service or unspecified other impact via a crafted regular expression. |
| CVE-2016-1283 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 79825 / NVD: CVE-2016-1283 |
| Impact | Denial of service, unspecified other impact |
| Description | A flaw in named subgroup handling allows a remote attacker to cause heap-based buffer overflow via a crafted regular expression, resulting in denial of service or unspecified other impact. |
| CVE-2016-3191 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 84810 / NVD: CVE-2016-3191 |
| Impact | Code execution, denial of service |
| Description | A flaw in substring and nested parenthesis handling allows a remote attacker to cause stack-based buffer overflow via a crafted regular expression, resulting in arbitrary code execution or denial of service. |
MITIGATION
These CVEs can be exploited in ASG and ProxySG 6.6 only by authenticated administrator users with write access. Restricting the administrator users that have write access reduces the threat of exploiting the vulnerabilities.
These CVEs can be exploited in ASG, Director, and ProxySG only through their management interfaces. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.
REVISION
2022-03-02 SSLV 5.2 and later are vulnerable to all applicable CVEs.
2022-02-16 A fix for Reporter 10.5 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-08-27 WSS Agent is not vulnerable.
2021-06-07 A fix for SSLV 5.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-06-01 A fix for MC 3.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-05-03 ISG 2.1, 2.2, and 2.3 have a vulnerable version of the PCRE library, but is not vulnerable to known vectors of attack.
2021-02-17 A fix for MC 2.4 and CA 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-12-09 A fix for ASG 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-17 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. A fix for Reporter 10.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 contains vulnerable versions of the PCRE or GLib2 libraries, but is not vulnerable to known vectors of attack.
2020-08-19 A fix for MC 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-04-27 Provided corrected vulnerability information for Content Analysis, Mail Threat Defense, Management Center, PacketShaper S-Series, PolicyCenter S-Series, Reporter, Security Analytics, and SSL Visibility.
2020-04-26 Provided corrected vulnerability information for Advanced Secure Gateway. Information about IntelligenceCenter and IntelligenceCenter Data Collector is not available. NetDialog NetX is a replacement product for IntelligenceCenter.
2020-04-04 A fix for PacketShaper S-Series and PolicyCenter S-Series will not be provided. Allot Secure Service Gateway (SGG) is a replacement product for PacketShaper S-Series. Please switch to a version of SSG with the vulnerability fixes. A fix for PolicyCenter S-Series will not be provided. Allot NetXplorer is a replacement product PolicyCenter S-Series. Please switch to a version of NetXplorer with the vulnerability fixes.
2019-10-10 A fix will not be provided for PacketShaper 9.2. Please upgrade to a version of PacketShaper S-Series with the vulnerability fixes. A fix will not be provided for PolicyCenter 9.2. Please upgrade to a version of PolicyCenter S-Series with the vulnerability fixes.
2019-10-03 Web Isolation is not vulnerable.
2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-29 Reporter 10.4 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2019-08-12 MC 2.2 and MC 2.3 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attack. A fix for MC 2.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for Reporter 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for SSLV 4.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-02-04 A fix for CA 1.3 and 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-21 SA 7.3 starting with 7.3.2 and 8.0 are vulnerable.
2019-01-14 SSLV 4.4 and 5.0 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attack.
2019-01-14 Reporter 10.3 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-09-24 A fix for SSLV 3.8.4FC will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-07-26 MC 2.0 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2018-07-24 A fix for CacheFlow 3.4 is available in 3.4.2.9.
2018-06-26 A fix for CVE-2015-8382, CVE-2015-8385, CVE-2015-8386, CVE-2015-8388, CVE-2016-3191 in SSLV 4.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-26 A fix for SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CA 2.3, PacketShaper S-Series 11.10, and Reporter 10.2 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attack.
2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 4.2 has vulnerable versions of PCRE, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2017-11-08 CAS 2.2 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2017-11-07 MC 1.11 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-06 ASG 6.6 prior to 6.6.5.1 is vulnerable to all CVEs. ASG 6.6 starting with 6.6.5.1 and 6.7 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attacks.
2017-10-26 It was previously reported that CacheFlow 3.4 is vulnerable to CVE-2015-8386 and CVE-2015-8390. Further investigation has shown that CacheFlow 3.4 is not vulnerable to these CVEs.
2017-08-03 SSLV 4.1 has vulnerable version of PCRE, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2017-07-25 PS S-Series 11.9 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2017-07-21 MC 1.10 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PS S-Series 11.8 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2017-05-29 A fix for Security Analytics 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-05-18 CAS 2.1 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2017-03-30 MC 1.9 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack.
2017-03-08 MC 1.6, MC 1.7, MC 1.8, and SSLV 4.0 have vulnerable versions of PCRE and GLib2, but are not vulnerable to known vectors of attack. ProxySG 6.7 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2017-01-25 A fix for Security Analytics 7.2 is available in 7.2.2.
2016-12-03 PS S-Series 11.7 has vulnerable versions of PCRE and GLib2, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2016-12-03 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-11-03 A fix for MAA is available in 4.2.10. A fix for ProxySG 6.6 is avaialble in 6.6.5.1.
2016-09-09 A fix for ProxySG 6.5 is available in 6.5.9.11.
2016-08-12 Security Analytics 7.2 is vulnerable to CVE-2015-8382, CVE-2015-8386, CVE-2015-8387, CVE-2015-8390, and CVE-2015-8394.
2016-08-10 A fix for SSLV 3.9 is available in 3.9.4.1.
2016-07-12 Reporter 9.4 and 9.5 are not vulnerable.
2016-07-11 MAA 4.2 has a vulnerable version of PCRE, but is not vulnerable to known vectors of attack.
2016-07-07 initial public release