SUMMARY 

AFFECTED PRODUCTS 

The following products are vulnerable:

The following products contain vulnerable versions of the libxml2 library, but are not vulnerable to known vectors of attack:

ADDITIONAL PRODUCT INFORMATION

Some Blue Coat products do not accept XML data from untrusted sources.  The products listed below include vulnerable versions of the libxml2 library, but are not known to be vulnerable to the CVEs below.  However, fixes for these CVEs will be included in the patches that are provided.

• ASG: all CVEs
• CAS: all CVEs
• MTD: all CVEs
• MAA: all CVEs except CVE-2016-4448 and CVE-2016-4449
• MC: all CVEs
• PacketShaper S-Series: all CVEs
• PolicyCenter S-Series: all CVEs
• Reporter 10.x: all CVEs
• SSLV: all CVEs except CVE-2016-4448 and CVE-2016-4449

The following products are not vulnerable:
Android Mobile Agent
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PacketShaper
PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
Unified Agent
Web Isolation
WSS Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP

Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

MITIGATION

<proxy>
http.request.detection.xml.invalid(block)

REVISION

2022-03-04 SSLV 4.5 is not vulnerable because a fix is available in 4.5.6.8.
2022-03-02 SSLV 5.2 and later are not vulnerable because a fix is available in 5.2.1.1.
2021-08-27 WSS Agent is not vulnerable.
2021-06-07 A fix for SSLV 5.0 will not be provided.  Please upgrade to a later version with the vulnerability fixes. 
2020-12-10 A fix for ASG 7.1 will not be provided.  Please upgrade to a later version with the vulnerability fixes. 
2020-11-17 A fix for MTD 1.1 will not be provided.  Please upgrade to a version of CAS and SMG with the vulnerability fixes.  A fix for SA 7.3 and 8.0 will not be provided.  Please upgrade to a later version with the vulnerability fixes.  A fix for XOS 9.7, 10.0, and 11.0 will not be provided.  A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-04-27 Security Analytics 8.1 is vulnerable to CVE-2016-4483. SSL Visibility (SSLV) 4.5 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack. Reporter 10.5 is not vulnerable because a fix is available in 10.5.1.1. Fixes will not be provided for Industrical Control System Protection (ICSP) 5.3, Reporter 10.3, Reporter 10.4, and SSL Visibility (SSLV) 3.9. Please upgrade to later versions with the vulnerability fixes.
2020-04-03 A fix will not be provided for CVE-2016-4483 in PacketShaper S-Series. Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper S-Series. Please switch to a version of SSG with the vulnerability fixes. A fix will not be provided for CVE-2016-4483 in PolicyCenter S-Series. Allow NetXplorer is a replacement product for PolicyCenter S-Series. Please switch to a version of NetXplorer with the vulnerability fixes. 
2019-10-03 Web Isolation is not vulnerable.
2019-08-30 Reporter 10.4 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for Reporter 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-02-04 A fix for CA 1.3 and 2.2 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2019-01-29 ICSP 5.4 is not vulnerable because a fix is available in 5.4.1.
2019-01-21 SA 7.3 starting with 7.3.2 and 8.0 are vulnerable to CVE-2016-4483.
2019-01-18 SSLV 4.4 is not vulnerable.  SSLV 5.0 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.
2019-01-14 A fix for CVE-2016-4483 in MC 1.11 will not be provided.  Please upgrade to a later version with the vulnerability fixes.  Reporter 10.3 has a vulnerable version in libxml2, but is not vulnerable to known vectors of attack
2019-01-11 A fix for CVE-2016-4483 in CA 2.1 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes.
2018-07-27 A fix for CVE-2016-4448 in MA 4.2 is available in 4.2.12.
2018-07-24 MC 2.0 is not vulnerable because a fix for CVE-2016-4483 is available in 2.0.1.1.
2018-07-02 A fix for CVE 2016-4483 in SSLV 4.1 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-06-30 A fix for SSLV 4.3 is available in 4.3.1.1.
2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided.
2018-06-26 A fix for AuthConnector is available in 2.5.5500.
2018-04-25 A fix for XOS 9.7 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CAS 2.3 is not vulnerable because a fix is available in 2.3.1.1.  PacketShaper S-Series 11.10 and Reporter 10.2 have a vulnerable version of libxml2, but are not vulnerable to known vectors of attack.
2018-04-06 A fix for all CVEs except CVE-2016-4448 in SSLV 3.9 is available in 3.9.4.1.  A fix for all CVEs except CVE-2016-4448 is available in Packetshaper S-Series 11.7 and 11.8.
2018-02-22 A fix for CVE-2016-4448 in SSLV 3.10 is available in 3.10.4.1.
2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-16 A fix for SSLV 3.9 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1.
2017-11-15 SSLV 4.2 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2017-11-08 CAS 2.2 is vulnerable to CVE-2016-4483.
2017-11-07 MC 1.11 has vulnerable versions of a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.  A fix for MC 1.10 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-06 ASG 6.6 starting with 6.6.5.2 has a vulnerable version of libxml2 for all CVEs, but is not vulnerable to known vectors of attack.  ASG 6.7 is vulnerable to CVE-2016-4483.
2017-08-03 SSLV 4.1 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2017-07-25 PS S-Series 11.9 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2017-07-21 MC 1.10 has vulnerable versions of a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.  A fix for MC 1.9 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-07-10 A fix for CVE-2016-4448 in SSLV 3.11 is available in 3.11.4.1.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PS S-Series 11.7 and 11.8 have a vulnerable version of libxml2.  PS S-Series is not vulnerable to known vectors of attack.
2017-05-18 CAS 2.1 is vulnerable to CVE-2016-4483.
2017-03-30 MC 1.9 has a vulnerable version of libxml2 for CVE-2016-4483, but is not vulnerable to known vectors of attack.
2017-03-08 A fix for all CVEs except CVE-2016-4483 in PolicyCenter S-Series 1.1 is available in 1.1.3.1.
2017-03-08 MC 1.8 and SSLV 4.0 have a vulnerable version of libxml2, but are not vulnerable to known vectors of attack.  ProxySG 6.7 is not vulnerable.  Previously, it was reported that a fix for all CVEs in PacketShaper S-Series 11.6 is available in 11.6.1.3.  Further investigation has shows that all versions of PS S-Series still have a vulnerable version of libxml2 for CVE-2016-4483.  PS S-Series is not vulnerable to known vectors of attack.
2017-01-25 A fix for SA 7.2 is available in 7.2.2.
2017-01-24 A fix for all CVEs except CVE-2016-4483 in CAS 1.3 is available in 1.3.7.3.
2017-01-10 A fix for all CVEs except CVE-2015-4483 in Reporter 10.1 is available in 10.1.5.1.
2016-12-19 A fix for all CVEs except CVE-2016-4448 is available in MAA 4.2.11.
2016-12-02 SSLV 3.11 is vulnerable to CVE-2016-4448. A fix is not available at this time.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-14 MC 1.6 and 1.7 have a vulnerable version of libxml2.  A fix for all CVEs except CVE-2015-4483 is available in 1.7.2.1.
2016-11-11 SSLV 3.10 is vulnerable to CVE-2016-4448.  A fix is not available at this time.
2016-10-24 Clarified that Security Analytics 7.2 is vulnerable.  A fix is available through a patch RPM from Blue Coat Support.
2016-10-24 A fix for ASG is available in 6.6.5.2.
2016-10-24 A fix for ProxySG 6.6 is available in 6.6.5.2.
2016-10-18 A fix for ProxySG 6.5 is available in 6.5.9.12.
2016-09-14 Fixes for Security Analytics 6.6, 7.1, and 7.2 are available through patch RPMs from Blue Coat Support.
2016-09-14 A fix for PacketShaper S-Series 11.6 is available in 11.6.1.3.
2016-09-14 Clarified wording in Workarounds sections.
2016-09-01 initial public release