SA129 : Multiple libxml2 Vulnerabilities
SUMMARY
Blue Coat products that include a vulnerable version of the libxml2 library are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to execute arbitrary code and cause denial of service through memory corruption.
AFFECTED PRODUCTS
The following products are vulnerable:
Advanced Secure Gateway (ASG) | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
CVE-2016-4483 | 6.7, 7.2, 7.3 | Not available at this time |
6.6, 7.1 | Upgrade to later release with fixes. | |
All CVEs except CVE-2016-4483 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1. |
6.6 | Upgrade to 6.6.5.2. |
AuthConnector | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 2.5 | Fixed in 2.5.5500 |
Content Analysis System (CAS) | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
CVE-2016-4483 | 2.3 and later | Not vulnerable, fixed in 2.3.1.1 |
2.1, 2.2 | Upgrade to later release with fixes. | |
1.3 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes. | |
All CVEs except CVE-2016-4483 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1. |
1.3 (not vulnerable to known vectors of attack) | Upgrade to 1.3.7.3. |
Director | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 6.1 | Upgrade to a version of MC with the fixes. |
Malware Analysis Appliance (MAA) | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
CVE-2016-4448 | 4.2 | Upgrade to 4.2.12. |
CVE-2016-4449 | 4.2 | Upgrade to 4.2.11. |
All CVEs except CVE-2016-4448 and CVE-2016-4449 | 4.2 (not vulnerable to known vectors of attack) | Upgrade to 4.2.11. |
Norman Shark Industrial Control System Protection (ICSP) | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 5.4 | Not vulnerable, fixed in 5.4.1 |
5.3 | Upgrade to later release with fixes. |
Norman Shark Network Protection (NNP) | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 5.3 | A fix will not be provided. |
Norman Shark SCADA Protection (NSP) | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 5.3 | A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes. |
ProxySG | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 6.7 and later | Not vulnerable, fixed in 6.7.1.1 |
6.6 | Upgrade to 6.6.5.2. | |
6.5 | Upgrade to 6.5.9.12. |
Security Analytics (SA) | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
CVE-2016-4483 | 8.1, 8.2 | Not available at this time |
7.3 starting with 7.3.2, 8.0 | Upgrade to later release with fixes. | |
7.3.1 | Not vulnerable, fixed | |
7.2 | Upgrade to 7.3.2. | |
6.6, 7.0, 7.1 | Upgrade to later release with fixes. | |
All CVEs except CVE-2016-4483 | 7.3 and later | Not vulnerable, fixed in 7.3.1 |
7.2 | Upgrade to 7.2.2. | |
6.6, 7.0, 7.1 | Upgrade to later release with fixes. |
X-Series XOS | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 9.7, 10.0, 11.0 | A fix will not be provided. |
The following products contain vulnerable versions of the libxml2 library, but are not vulnerable to known vectors of attack:
Mail Threat Defense (MTD) | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
All CVEs | 1.1 | Upgrade to a version of CAS and SMG with the fixes. |
Management Center (MC) | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
CVE-2016-4483 |
2.0 and later | Not vulnerable, fixed in 2.0.1.1 |
1.5 - 1.11 | Upgrade to later release with fixes. | |
All CVEs except CVE-2016-4483 | 1.8 and later | Not vulnerable, fixed in 1.8.1.1 |
1.7 | Upgrade to 1.7.2.1. | |
1.6 | Upgrade to later release with fixes. | |
1.5 | Upgrade to later release with fixes. |
PacketShaper (PS) S-Series | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
CVE-2016-4483 | 11.2 and later | Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper S-Series. Switch to a version of SSG with the vulnerability fixes. |
All CVEs except CVE-2016-4483 | 11.7 and later | Upgrade to 11.7.1.1. |
11.6 | Upgrade to 11.6.1.3. | |
11.2 - 11.5 | Upgrade to later release with fixes. |
PolicyCenter (PC) S-Series | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
CVE-2016-4483 | 1.1 | Allot NetXplorer is a replacement product for PolicyShaper S-Series. Switch to a version of NetXplorer with the vulnerability fixes. |
All CVEs except CVE-2016-4483 | 1.1 | Upgrade to 1.1.3.1. |
Reporter | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
CVE-2016-4483 | 10.5 and later | Not vulnerable, fixed in 10.5.1.1 |
10.1, 10.2, 10.3, 10.4 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes. | |
All CVEs except CVE-2016-4483 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1. |
10.1 (not vulnerable to known vectors of attack) | Upgrade to 10.1.5.1. | |
All CVEs | 9.5 | Not vulnerable |
9.4 | Not vulnerable |
SSL Visibility (SSLV) | ||
---|---|---|
CVE | Affected Version(s) | Remediation |
CVE-2016-4483 | 5.2 | Not vulnerable, fixed in 5.2.1.1. |
4.5 | Not vulnerable, fixed in 4.5.6.8. | |
4.3 | Not vulnerable, fixed in 4.3.1.1. | |
4.0, 4.1, 4.2, 4.4, 5.0 | Upgrade to later release with fixes. | |
All CVEs except CVE-2016-4483 | 4.0 | Not vulnerable, fixed in 4.0.2.1. |
CVE-2016-4448 | 3.12 | Not vulnerable, fixed in 3.12.1.1. |
3.11 | Upgrade to 3.11.4.1. | |
3.10 | Upgrade to 3.10.4.1. | |
3.8.4FC, 3.9 | Upgrade to later release with fixes. | |
All CVEs except CVE-2016-4448 | 3.10 and later 3.x | Not vulnerable, fixed in 3.10.1.1. |
3.9 | Upgrade to 3.9.4.1. | |
3.8.4FC | Upgrade to later release with fixes. |
ADDITIONAL PRODUCT INFORMATION
Some Blue Coat products do not accept XML data from untrusted sources. The products listed below include vulnerable versions of the libxml2 library, but are not known to be vulnerable to the CVEs below. However, fixes for these CVEs will be included in the patches that are provided.
- ASG: all CVEs
- CAS: all CVEs
- MTD: all CVEs
- MAA: all CVEs except CVE-2016-4448 and CVE-2016-4449
- MC: all CVEs
- PacketShaper S-Series: all CVEs
- PolicyCenter S-Series: all CVEs
- Reporter 10.x: all CVEs
- SSLV: all CVEs except CVE-2016-4448 and CVE-2016-4449
The following products are not vulnerable:
Android Mobile Agent
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PacketShaper
PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
Unified Agent
Web Isolation
WSS Agent
Blue Coat no longer provides vulnerability information for the following products:
DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
ISSUES
CVE-2016-1762 | |
---|---|
Severity / CVSSv2 | High / 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |
References | SecurityFocus: BID 85059 / NVD: CVE-2016-1762 |
Impact | Denial of service, code execution |
Description | A flaw in the XML parser allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption. |
CVE-2016-1833 | |
---|---|
Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
References | SecurityFocus: BID 90691 / NVD: CVE-2016-1833 |
Impact | Denial of service, code execution |
Description | A flaw in the XML parser allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption. |
CVE-2016-1834 | |
---|---|
Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
References | SecurityFocus: BID 90691 / NVD: CVE-2016-1834 |
Impact | Denial of service, code execution |
Description | A flaw in string handling allows a remote attacker to cause a heap-based buffer overflow via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption. |
CVE-2016-1835 | |
---|---|
Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
References | SecurityFocus: BID 90696 / NVD: CVE-2016-1835 |
Impact | Denial of service, code execution |
Description | A flaw in the XML parser allows a remote attacker to cause a use-after-free via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption. |
CVE-2016-1836 | |
---|---|
Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
References | SecurityFocus: BID 90691 / NVD: CVE-2016-1836 |
Impact | Denial of service, code execution |
Description | A flaw in the XML parser allows a remote attacker to cause a use-after-free via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption. |
CVE-2016-1837 | |
---|---|
Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
References | SecurityFocus: BID 90691 / NVD: CVE-2016-1837 |
Impact | Denial of service, code execution |
Description | A flaw in the HTML parser allows a remote attacker to cause a use-after-free via crafted HTML data, resulting in arbitrary code execution or denial of service through memory corruption. |
CVE-2016-1838 | |
---|---|
Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
References | SecurityFocus: BID 90691 / NVD: CVE-2016-1838 |
Impact | Denial of service, code execution |
Description | A flaw in the XML parser allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption. |
CVE-2016-1839 | |
---|---|
Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
References | SecurityFocus: BID 90691 / NVD: CVE-2016-1839 |
Impact | Denial of service, code execution |
Description | A flaw in the XML/HTML parser allows a remote attacker to cause a heap-based buffer overread via crafted XML/HTML data, resulting in arbitrary code execution or denial of service through memory corruption. |
CVE-2016-1840 | |
---|---|
Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
References | SecurityFocus: BID 90691 / NVD: CVE-2016-1840 |
Impact | Denial of service, code execution |
Description | A flaw allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption. |
CVE-2016-3627 | |
---|---|
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
References | SecurityFocus: BID 84992 / NVD: CVE-2016-3627 |
Impact | Denial of service |
Description | A flaw in the XML parser allows a remote attacker to cause infinite recursion or stack depletion via crafted XML data, resulting in application crashes and denial of service. |
CVE-2016-3705 | |
---|---|
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
References | SecurityFocus: BID 89854 / NVD: CVE-2016-3705 |
Impact | Denial of service |
Description | A flaw in the XML parser allows a remote attacker to cause stack depletion via crafted XML data, resulting in application crashes and denial of service. |
CVE-2016-4447 | |
---|---|
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
References | SecurityFocus: BID 90864 / NVD: CVE-2016-4447 |
Impact | Denial of service |
Description | A flaw in the XML parser allows a remote attacker to cause a heap-based buffer underread via crafted XML data, resulting in application crashes and denial of service. |
CVE-2016-4448 | |
---|---|
Severity / CVSSv2 | High / 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C) |
References | SecurityFocus: BID 90856 / NVD: CVE-2016-4448 |
Impact | Unspecified |
Description | A flaw in format string handling allows an attacker to have unspecified impact via unspecified attack vectors. |
CVE-2016-4449 | |
---|---|
Severity / CVSSv2 | Medium / 5.8 (AV:N/AC:M/Au:N/C:P/I:N/A:P) |
References | SecurityFocus: BID 90865 / NVD: CVE-2016-4449 |
Impact | Informationd disclosure, denial of service |
Description | A flaw in the XML parser allows a remote attacker to read arbitrary files or cause denial of service through resource consumption. |
CVE-2016-4483 | |
---|---|
Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) |
References | SecurityFocus: BID 76510 / NVD: CVE-2016-4483 |
Impact | Denial of service, code execution |
Description | A flaw in the XML parser in recovery mode allows a remote attacker to cause a buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption. |
MITIGATION
Blue Coat’s ProxySG appliance running SGOS 6.6.4 or a later release can protect customer networks against attacks using all CVEs, except CVE-2016-1834, CVE-2016-1840, CVE-2016-3627, and CVE-2016-4448. ProxySG deployed as a reverse proxy can protect network hosts behind it by blocking the malformed XML payload used in these attacks. Customers can use the following CPL syntax introduced in SGOS 6.6.4:
<proxy> http.request.detection.xml.invalid(block)
REVISION
2022-03-04 SSLV 4.5 is not vulnerable because a fix is available in 4.5.6.8.
2022-03-02 SSLV 5.2 and later are not vulnerable because a fix is available in 5.2.1.1.
2021-08-27 WSS Agent is not vulnerable.
2021-06-07 A fix for SSLV 5.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-12-10 A fix for ASG 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-17 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-04-27 Security Analytics 8.1 is vulnerable to CVE-2016-4483. SSL Visibility (SSLV) 4.5 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack. Reporter 10.5 is not vulnerable because a fix is available in 10.5.1.1. Fixes will not be provided for Industrical Control System Protection (ICSP) 5.3, Reporter 10.3, Reporter 10.4, and SSL Visibility (SSLV) 3.9. Please upgrade to later versions with the vulnerability fixes.
2020-04-03 A fix will not be provided for CVE-2016-4483 in PacketShaper S-Series. Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper S-Series. Please switch to a version of SSG with the vulnerability fixes. A fix will not be provided for CVE-2016-4483 in PolicyCenter S-Series. Allow NetXplorer is a replacement product for PolicyCenter S-Series. Please switch to a version of NetXplorer with the vulnerability fixes.
2019-10-03 Web Isolation is not vulnerable.
2019-08-30 Reporter 10.4 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for Reporter 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-02-04 A fix for CA 1.3 and 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-29 ICSP 5.4 is not vulnerable because a fix is available in 5.4.1.
2019-01-21 SA 7.3 starting with 7.3.2 and 8.0 are vulnerable to CVE-2016-4483.
2019-01-18 SSLV 4.4 is not vulnerable. SSLV 5.0 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.
2019-01-14 A fix for CVE-2016-4483 in MC 1.11 will not be provided. Please upgrade to a later version with the vulnerability fixes. Reporter 10.3 has a vulnerable version in libxml2, but is not vulnerable to known vectors of attack
2019-01-11 A fix for CVE-2016-4483 in CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes.
2018-07-27 A fix for CVE-2016-4448 in MA 4.2 is available in 4.2.12.
2018-07-24 MC 2.0 is not vulnerable because a fix for CVE-2016-4483 is available in 2.0.1.1.
2018-07-02 A fix for CVE 2016-4483 in SSLV 4.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-06-30 A fix for SSLV 4.3 is available in 4.3.1.1.
2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided.
2018-06-26 A fix for AuthConnector is available in 2.5.5500.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CAS 2.3 is not vulnerable because a fix is available in 2.3.1.1. PacketShaper S-Series 11.10 and Reporter 10.2 have a vulnerable version of libxml2, but are not vulnerable to known vectors of attack.
2018-04-06 A fix for all CVEs except CVE-2016-4448 in SSLV 3.9 is available in 3.9.4.1. A fix for all CVEs except CVE-2016-4448 is available in Packetshaper S-Series 11.7 and 11.8.
2018-02-22 A fix for CVE-2016-4448 in SSLV 3.10 is available in 3.10.4.1.
2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-16 A fix for SSLV 3.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1.
2017-11-15 SSLV 4.2 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2017-11-08 CAS 2.2 is vulnerable to CVE-2016-4483.
2017-11-07 MC 1.11 has vulnerable versions of a vulnerable version of libxml2, but is not vulnerable to known vectors of attack. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-06 ASG 6.6 starting with 6.6.5.2 has a vulnerable version of libxml2 for all CVEs, but is not vulnerable to known vectors of attack. ASG 6.7 is vulnerable to CVE-2016-4483.
2017-08-03 SSLV 4.1 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2017-07-25 PS S-Series 11.9 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2017-07-21 MC 1.10 has vulnerable versions of a vulnerable version of libxml2, but is not vulnerable to known vectors of attack. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-07-10 A fix for CVE-2016-4448 in SSLV 3.11 is available in 3.11.4.1.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PS S-Series 11.7 and 11.8 have a vulnerable version of libxml2. PS S-Series is not vulnerable to known vectors of attack.
2017-05-18 CAS 2.1 is vulnerable to CVE-2016-4483.
2017-03-30 MC 1.9 has a vulnerable version of libxml2 for CVE-2016-4483, but is not vulnerable to known vectors of attack.
2017-03-08 A fix for all CVEs except CVE-2016-4483 in PolicyCenter S-Series 1.1 is available in 1.1.3.1.
2017-03-08 MC 1.8 and SSLV 4.0 have a vulnerable version of libxml2, but are not vulnerable to known vectors of attack. ProxySG 6.7 is not vulnerable. Previously, it was reported that a fix for all CVEs in PacketShaper S-Series 11.6 is available in 11.6.1.3. Further investigation has shows that all versions of PS S-Series still have a vulnerable version of libxml2 for CVE-2016-4483. PS S-Series is not vulnerable to known vectors of attack.
2017-01-25 A fix for SA 7.2 is available in 7.2.2.
2017-01-24 A fix for all CVEs except CVE-2016-4483 in CAS 1.3 is available in 1.3.7.3.
2017-01-10 A fix for all CVEs except CVE-2015-4483 in Reporter 10.1 is available in 10.1.5.1.
2016-12-19 A fix for all CVEs except CVE-2016-4448 is available in MAA 4.2.11.
2016-12-02 SSLV 3.11 is vulnerable to CVE-2016-4448. A fix is not available at this time.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-14 MC 1.6 and 1.7 have a vulnerable version of libxml2. A fix for all CVEs except CVE-2015-4483 is available in 1.7.2.1.
2016-11-11 SSLV 3.10 is vulnerable to CVE-2016-4448. A fix is not available at this time.
2016-10-24 Clarified that Security Analytics 7.2 is vulnerable. A fix is available through a patch RPM from Blue Coat Support.
2016-10-24 A fix for ASG is available in 6.6.5.2.
2016-10-24 A fix for ProxySG 6.6 is available in 6.6.5.2.
2016-10-18 A fix for ProxySG 6.5 is available in 6.5.9.12.
2016-09-14 Fixes for Security Analytics 6.6, 7.1, and 7.2 are available through patch RPMs from Blue Coat Support.
2016-09-14 A fix for PacketShaper S-Series 11.6 is available in 11.6.1.3.
2016-09-14 Clarified wording in Workarounds sections.
2016-09-01 initial public release