SA129 : Multiple libxml2 Vulnerabilities

ASG-S200

33 more products

1377

04 March 2022

01 September 2016

OPEN

HIGH

CVSS v2: 10.0

SUMMARY 

Blue Coat products that include a vulnerable version of the libxml2 library are susceptible to multiple vulnerabilities.  A remote attacker can exploit these vulnerabilities to execute arbitrary code and cause denial of service through memory corruption.

AFFECTED PRODUCTS 

The following products are vulnerable:

Advanced Secure Gateway (ASG)
CVE Affected Version(s) Remediation
CVE-2016-4483 6.7, 7.2, 7.3 Not available at this time
6.6, 7.1 Upgrade to later release with fixes.
All CVEs except CVE-2016-4483 6.7 and later Not vulnerable, fixed in 6.7.2.1.
6.6 Upgrade to 6.6.5.2.

 

AuthConnector
CVE Affected Version(s) Remediation
All CVEs 2.5 Fixed in 2.5.5500

 

Content Analysis System (CAS)
CVE Affected Version(s) Remediation
CVE-2016-4483 2.3 and later Not vulnerable, fixed in 2.3.1.1
2.1, 2.2 Upgrade to later release with fixes.
1.3 (not vulnerable to known vectors of attack) Upgrade to later release with fixes.
All CVEs except CVE-2016-4483 2.1 and later Not vulnerable, fixed in 2.1.1.1.
1.3 (not vulnerable to known vectors of attack) Upgrade to 1.3.7.3.

 

Director
CVE Affected Version(s) Remediation
All CVEs 6.1 Upgrade to a version of MC with the fixes.

 

Malware Analysis Appliance (MAA)
CVE Affected Version(s) Remediation
CVE-2016-4448 4.2 Upgrade to 4.2.12.
CVE-2016-4449 4.2 Upgrade to 4.2.11.
All CVEs except CVE-2016-4448 and CVE-2016-4449 4.2 (not vulnerable to known vectors of attack) Upgrade to 4.2.11.

 

Norman Shark Industrial Control System Protection (ICSP)
CVE Affected Version(s) Remediation
All CVEs 5.4 Not vulnerable, fixed in 5.4.1
5.3 Upgrade to later release with fixes.

 

Norman Shark Network Protection (NNP)
CVE Affected Version(s) Remediation
All CVEs 5.3 A fix will not be provided.

 

Norman Shark SCADA Protection (NSP)
CVE Affected Version(s) Remediation
All CVEs 5.3 A fix will not be provided.  Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes.

 

ProxySG
CVE Affected Version(s) Remediation
All CVEs 6.7 and later Not vulnerable, fixed in 6.7.1.1
6.6 Upgrade to 6.6.5.2.
6.5 Upgrade to 6.5.9.12.

 

Security Analytics (SA)
CVE Affected Version(s) Remediation
CVE-2016-4483 8.1, 8.2 Not available at this time
7.3 starting with 7.3.2, 8.0 Upgrade to later release with fixes.
7.3.1 Not vulnerable, fixed
7.2 Upgrade to 7.3.2.
6.6, 7.0, 7.1 Upgrade to later release with fixes.
All CVEs except CVE-2016-4483 7.3 and later Not vulnerable, fixed in 7.3.1
7.2 Upgrade to 7.2.2.
6.6, 7.0, 7.1 Upgrade to later release with fixes.

 

X-Series XOS
CVE Affected Version(s) Remediation
All CVEs 9.7, 10.0, 11.0 A fix will not be provided.

 

The following products contain vulnerable versions of the libxml2 library, but are not vulnerable to known vectors of attack:

Mail Threat Defense (MTD)
CVE Affected Version(s) Remediation
All CVEs 1.1 Upgrade to a version of CAS and SMG with the fixes.

 

Management Center (MC)
CVE Affected Version(s) Remediation
CVE-2016-4483
 
2.0 and later Not vulnerable, fixed in 2.0.1.1
1.5 - 1.11 Upgrade to later release with fixes.
All CVEs except CVE-2016-4483 1.8 and later Not vulnerable, fixed in 1.8.1.1
1.7 Upgrade to 1.7.2.1.
1.6 Upgrade to later release with fixes.
1.5 Upgrade to later release with fixes.

 

PacketShaper (PS) S-Series
CVE Affected Version(s) Remediation
CVE-2016-4483 11.2 and later Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper S-Series. Switch to a version of SSG with the vulnerability fixes.
All CVEs except CVE-2016-4483 11.7 and later Upgrade to 11.7.1.1.
11.6 Upgrade to 11.6.1.3.
11.2 - 11.5 Upgrade to later release with fixes.

 

PolicyCenter (PC) S-Series
CVE Affected Version(s) Remediation
CVE-2016-4483 1.1 Allot NetXplorer is a replacement product for PolicyShaper S-Series. Switch to a version of NetXplorer with the vulnerability fixes.
All CVEs except CVE-2016-4483 1.1 Upgrade to 1.1.3.1.

 

Reporter
CVE Affected Version(s) Remediation
CVE-2016-4483 10.5 and later Not vulnerable, fixed in 10.5.1.1
10.1, 10.2, 10.3, 10.4 (not vulnerable to known vectors of attack) Upgrade to later release with fixes.
All CVEs except CVE-2016-4483 10.2 and later Not vulnerable, fixed in 10.2.1.1.
10.1 (not vulnerable to known vectors of attack) Upgrade to 10.1.5.1.
All CVEs 9.5 Not vulnerable
9.4 Not vulnerable

 

SSL Visibility (SSLV)
CVE Affected Version(s) Remediation
CVE-2016-4483 5.2 Not vulnerable, fixed in 5.2.1.1.
4.5 Not vulnerable, fixed in 4.5.6.8.
4.3 Not vulnerable, fixed in 4.3.1.1.
4.0, 4.1, 4.2, 4.4, 5.0 Upgrade to later release with fixes.
All CVEs except CVE-2016-4483 4.0 Not vulnerable, fixed in 4.0.2.1.
CVE-2016-4448 3.12 Not vulnerable, fixed in 3.12.1.1.
3.11 Upgrade to 3.11.4.1.
3.10 Upgrade to 3.10.4.1.
3.8.4FC, 3.9 Upgrade to later release with fixes.
All CVEs except CVE-2016-4448 3.10 and later 3.x Not vulnerable, fixed in 3.10.1.1.
3.9 Upgrade to 3.9.4.1.
3.8.4FC Upgrade to later release with fixes.

 

ADDITIONAL PRODUCT INFORMATION

Some Blue Coat products do not accept XML data from untrusted sources.  The products listed below include vulnerable versions of the libxml2 library, but are not known to be vulnerable to the CVEs below.  However, fixes for these CVEs will be included in the patches that are provided.

  • ASG: all CVEs
  • CAS: all CVEs
  • MTD: all CVEs
  • MAA: all CVEs except CVE-2016-4448 and CVE-2016-4449
  • MC: all CVEs
  • PacketShaper S-Series: all CVEs
  • PolicyCenter S-Series: all CVEs
  • Reporter 10.x: all CVEs
  • SSLV: all CVEs except CVE-2016-4448 and CVE-2016-4449

The following products are not vulnerable:
Android Mobile Agent
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
PacketShaper
PolicyCenter
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
Unified Agent
Web Isolation
WSS Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP

Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2016-1762
Severity / CVSSv2 High / 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
References SecurityFocus: BID 85059 / NVD: CVE-2016-1762
Impact Denial of service, code execution
Description A flaw in the XML parser allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

 

CVE-2016-1833
Severity / CVSSv2 Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 90691 / NVD: CVE-2016-1833
Impact Denial of service, code execution
Description A flaw in the XML parser allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

 

CVE-2016-1834
Severity / CVSSv2 Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 90691 / NVD: CVE-2016-1834
Impact Denial of service, code execution
Description A flaw in string handling allows a remote attacker to cause a heap-based buffer overflow via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

 

CVE-2016-1835
Severity / CVSSv2 Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 90696 / NVD: CVE-2016-1835
Impact Denial of service, code execution
Description A flaw in the XML parser allows a remote attacker to cause a use-after-free via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

 

CVE-2016-1836
Severity / CVSSv2 Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 90691 / NVD: CVE-2016-1836
Impact Denial of service, code execution
Description A flaw in the XML parser allows a remote attacker to cause a use-after-free via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

 

CVE-2016-1837
Severity / CVSSv2 Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 90691 / NVD: CVE-2016-1837
Impact Denial of service, code execution
Description A flaw in the HTML parser allows a remote attacker to cause a use-after-free via crafted HTML data, resulting in arbitrary code execution or denial of service through memory corruption.

 

CVE-2016-1838
Severity / CVSSv2 Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 90691 / NVD: CVE-2016-1838
Impact Denial of service, code execution
Description A flaw in the XML parser allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

 

CVE-2016-1839
Severity / CVSSv2 Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 90691 / NVD: CVE-2016-1839
Impact Denial of service, code execution
Description A flaw in the XML/HTML parser allows a remote attacker to cause a heap-based buffer overread via crafted XML/HTML data, resulting in arbitrary code execution or denial of service through memory corruption.

 

CVE-2016-1840
Severity / CVSSv2 Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
References SecurityFocus: BID 90691 / NVD: CVE-2016-1840
Impact Denial of service, code execution
Description A flaw allows a remote attacker to cause a heap-based buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

 

CVE-2016-3627
Severity / CVSSv2 Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 84992 / NVD: CVE-2016-3627
Impact Denial of service
Description A flaw in the XML parser allows a remote attacker to cause infinite recursion or stack depletion via crafted XML data, resulting in application crashes and denial of service.

 

CVE-2016-3705
Severity / CVSSv2 Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 89854 / NVD: CVE-2016-3705
Impact Denial of service
Description A flaw in the XML parser allows a remote attacker to cause stack depletion via crafted XML data, resulting in application crashes and denial of service.

 

CVE-2016-4447
Severity / CVSSv2 Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 90864 / NVD: CVE-2016-4447
Impact Denial of service
Description A flaw in the XML parser allows a remote attacker to cause a heap-based buffer underread via crafted XML data, resulting in application crashes and denial of service.

 

CVE-2016-4448
Severity / CVSSv2 High / 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
References SecurityFocus: BID 90856 / NVD: CVE-2016-4448
Impact Unspecified
Description A flaw in format string handling allows an attacker to have unspecified impact via unspecified attack vectors.

 

CVE-2016-4449
Severity / CVSSv2 Medium / 5.8 (AV:N/AC:M/Au:N/C:P/I:N/A:P)
References SecurityFocus: BID 90865 / NVD: CVE-2016-4449
Impact Informationd disclosure, denial of service
Description A flaw in the XML parser allows a remote attacker to read arbitrary files or cause denial of service through resource consumption.

 

CVE-2016-4483
Severity / CVSSv2 Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
References SecurityFocus: BID 76510 / NVD: CVE-2016-4483
Impact Denial of service, code execution
Description A flaw in the XML parser in recovery mode allows a remote attacker to cause a buffer overread via crafted XML data, resulting in arbitrary code execution or denial of service through memory corruption.

 

MITIGATION

Blue Coat’s ProxySG appliance running SGOS 6.6.4 or a later release can protect customer networks against attacks using all CVEs, except CVE-2016-1834, CVE-2016-1840, CVE-2016-3627, and CVE-2016-4448.  ProxySG deployed as a reverse proxy can protect network hosts behind it by blocking the malformed XML payload used in these attacks. Customers can use the following CPL syntax introduced in SGOS 6.6.4:

<proxy>
http.request.detection.xml.invalid(block)

 

REVISION

2022-03-04 SSLV 4.5 is not vulnerable because a fix is available in 4.5.6.8.
2022-03-02 SSLV 5.2 and later are not vulnerable because a fix is available in 5.2.1.1.
2021-08-27 WSS Agent is not vulnerable.
2021-06-07 A fix for SSLV 5.0 will not be provided.  Please upgrade to a later version with the vulnerability fixes. 
2020-12-10 A fix for ASG 7.1 will not be provided.  Please upgrade to a later version with the vulnerability fixes. 
2020-11-17 A fix for MTD 1.1 will not be provided.  Please upgrade to a version of CAS and SMG with the vulnerability fixes.  A fix for SA 7.3 and 8.0 will not be provided.  Please upgrade to a later version with the vulnerability fixes.  A fix for XOS 9.7, 10.0, and 11.0 will not be provided.  A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes.
2020-04-27 Security Analytics 8.1 is vulnerable to CVE-2016-4483. SSL Visibility (SSLV) 4.5 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack. Reporter 10.5 is not vulnerable because a fix is available in 10.5.1.1. Fixes will not be provided for Industrical Control System Protection (ICSP) 5.3, Reporter 10.3, Reporter 10.4, and SSL Visibility (SSLV) 3.9. Please upgrade to later versions with the vulnerability fixes.
2020-04-03 A fix will not be provided for CVE-2016-4483 in PacketShaper S-Series. Allot Secure Services Gateway (SSG) is a replacement product for PacketShaper S-Series. Please switch to a version of SSG with the vulnerability fixes. A fix will not be provided for CVE-2016-4483 in PolicyCenter S-Series. Allow NetXplorer is a replacement product for PolicyCenter S-Series. Please switch to a version of NetXplorer with the vulnerability fixes. 
2019-10-03 Web Isolation is not vulnerable.
2019-08-30 Reporter 10.4 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-06 A fix for Reporter 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-02-04 A fix for CA 1.3 and 2.2 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2019-01-29 ICSP 5.4 is not vulnerable because a fix is available in 5.4.1.
2019-01-21 SA 7.3 starting with 7.3.2 and 8.0 are vulnerable to CVE-2016-4483.
2019-01-18 SSLV 4.4 is not vulnerable.  SSLV 5.0 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.
2019-01-14 A fix for CVE-2016-4483 in MC 1.11 will not be provided.  Please upgrade to a later version with the vulnerability fixes.  Reporter 10.3 has a vulnerable version in libxml2, but is not vulnerable to known vectors of attack
2019-01-11 A fix for CVE-2016-4483 in CA 2.1 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes.
2018-07-27 A fix for CVE-2016-4448 in MA 4.2 is available in 4.2.12.
2018-07-24 MC 2.0 is not vulnerable because a fix for CVE-2016-4483 is available in 2.0.1.1.
2018-07-02 A fix for CVE 2016-4483 in SSLV 4.1 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-06-30 A fix for SSLV 4.3 is available in 4.3.1.1.
2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided.
2018-06-26 A fix for AuthConnector is available in 2.5.5500.
2018-04-25 A fix for XOS 9.7 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CAS 2.3 is not vulnerable because a fix is available in 2.3.1.1.  PacketShaper S-Series 11.10 and Reporter 10.2 have a vulnerable version of libxml2, but are not vulnerable to known vectors of attack.
2018-04-06 A fix for all CVEs except CVE-2016-4448 in SSLV 3.9 is available in 3.9.4.1.  A fix for all CVEs except CVE-2016-4448 is available in Packetshaper S-Series 11.7 and 11.8.
2018-02-22 A fix for CVE-2016-4448 in SSLV 3.10 is available in 3.10.4.1.
2017-11-16 A fix for PS S-Series 11.5, 11.7, and 11.8 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-16 A fix for SSLV 3.9 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1.
2017-11-15 SSLV 4.2 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2017-11-08 CAS 2.2 is vulnerable to CVE-2016-4483.
2017-11-07 MC 1.11 has vulnerable versions of a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.  A fix for MC 1.10 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-11-06 ASG 6.6 starting with 6.6.5.2 has a vulnerable version of libxml2 for all CVEs, but is not vulnerable to known vectors of attack.  ASG 6.7 is vulnerable to CVE-2016-4483.
2017-08-03 SSLV 4.1 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2017-07-25 PS S-Series 11.9 has a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.  A fix is not available at this time.
2017-07-21 MC 1.10 has vulnerable versions of a vulnerable version of libxml2, but is not vulnerable to known vectors of attack.  A fix for MC 1.9 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2017-07-10 A fix for CVE-2016-4448 in SSLV 3.11 is available in 3.11.4.1.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PS S-Series 11.7 and 11.8 have a vulnerable version of libxml2.  PS S-Series is not vulnerable to known vectors of attack.
2017-05-18 CAS 2.1 is vulnerable to CVE-2016-4483.
2017-03-30 MC 1.9 has a vulnerable version of libxml2 for CVE-2016-4483, but is not vulnerable to known vectors of attack.
2017-03-08 A fix for all CVEs except CVE-2016-4483 in PolicyCenter S-Series 1.1 is available in 1.1.3.1.
2017-03-08 MC 1.8 and SSLV 4.0 have a vulnerable version of libxml2, but are not vulnerable to known vectors of attack.  ProxySG 6.7 is not vulnerable.  Previously, it was reported that a fix for all CVEs in PacketShaper S-Series 11.6 is available in 11.6.1.3.  Further investigation has shows that all versions of PS S-Series still have a vulnerable version of libxml2 for CVE-2016-4483.  PS S-Series is not vulnerable to known vectors of attack.
2017-01-25 A fix for SA 7.2 is available in 7.2.2.
2017-01-24 A fix for all CVEs except CVE-2016-4483 in CAS 1.3 is available in 1.3.7.3.
2017-01-10 A fix for all CVEs except CVE-2015-4483 in Reporter 10.1 is available in 10.1.5.1.
2016-12-19 A fix for all CVEs except CVE-2016-4448 is available in MAA 4.2.11.
2016-12-02 SSLV 3.11 is vulnerable to CVE-2016-4448. A fix is not available at this time.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-14 MC 1.6 and 1.7 have a vulnerable version of libxml2.  A fix for all CVEs except CVE-2015-4483 is available in 1.7.2.1.
2016-11-11 SSLV 3.10 is vulnerable to CVE-2016-4448.  A fix is not available at this time.
2016-10-24 Clarified that Security Analytics 7.2 is vulnerable.  A fix is available through a patch RPM from Blue Coat Support.
2016-10-24 A fix for ASG is available in 6.6.5.2.
2016-10-24 A fix for ProxySG 6.6 is available in 6.6.5.2.
2016-10-18 A fix for ProxySG 6.5 is available in 6.5.9.12.
2016-09-14 Fixes for Security Analytics 6.6, 7.1, and 7.2 are available through patch RPMs from Blue Coat Support.
2016-09-14 A fix for PacketShaper S-Series 11.6 is available in 11.6.1.3.
2016-09-14 Clarified wording in Workarounds sections.
2016-09-01 initial public release