SA117 : OpenSSL Vulnerabilities 1-Mar-2016

Click to Subscribe
Security Advisory ID: 
SA117
Published Date: 
Mar 07, 2016
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE Number: 
CVE-2016-0702 - 1.9 (LOW) (AV:L/AC:M/Au:N/C:P/I:N/A:N)
CVE-2016-0703 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-2016-0704 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-2016-0705 - 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-2016-0797 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2016-0798 - 7.8 (HIGH) (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVE-2016-0799 - 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVE-2016-0800 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-2016-2842 - 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Blue Coat products using affected versions of OpenSSL are susceptible to multiple vulnerabilities.  A remote attacker can exploit these vulnerabilities to decrypt live and recorded SSL sessions, cause denial of service through application crashes, and possibly execute arbitrary code.  A local, authenticated attacker can also recover RSA private keys.

Affected Products:

The following products are vulnerable:

Advanced Secure Gateway
ASG 6.6 prior to 6.6.5.4 is vulnerable to CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.  ASG 6.6 is also vulnerable to CVE-2015-0800 (DROWN) if SSLv2 is enabled for the management console, forward proxy service, and reverse proxy service.

Android Mobile Agent
Android Mobile Agent 1.3 prior to 1.3.8 is vulnerable to CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.

BCAAA
BCAAA 6.1 is vulnerable to CVE-2016-0702 (CacheBleed), CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842 when a Novell SSO realm is used.

CacheFlow
CacheFlow 3.4 prior to 3.4.2.7 is vulnerable to CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.  CacheFlow 3.4 is also vulnerable to CVE-2016-0800 (DROWN).

Client Connector
Client Connector 1.6 for Windows is vulnerable to CVE-2016-0702, CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.

Content Analysis System
CAS 1.2 and 1.3 prior to 1.3.7.1 are vulnerable to CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.  CAS 1.2, 1.3, and 2.1 are vulnerable to CVE-2016-0800 (DROWN) when SSLv2 is enabled for the secure ICAP server.  CAS 1.2 prior to 1.2.4.5 is also vulnerable to CVE-2016-0800 (DROWN) when SSLv2 is enabled for the management console.

Director
Director 6.1 prior to 6.1.22.1 is vulnerable to CVE-2016-0702 (CacheBleed), CVE-2016-0797, CVE-2016-0799, CVE-2016-0800 (DROWN), and CVE-2016-2842.

IntelligenceCenter
IC 3.3 is vulnerable to CVE-2016-0702 (CacheBleed), CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, CVE-2016-0800 (DROWN), and CVE-2016-2842.

Mail Threat Defense
MTD 1.1 is vulnerable to CVE-2016-0799 and CVE-2016-2842.  MTD 1.1 prior to 1.1.2.1 is also vulnerable to CVE-2016-0705 and CVE-2016-0797.

Malware Analysis Appliance
MAA 4.2 prior to 4.2.9 is vulnerable to CVE-2016-0702 (CacheBleed), CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.

Management Center
MC 1.5 is vulnerable to CVE-2016-0799 and CVE-2016-2842.  MC 1.6, 1.7, 1.8, 1.9 and 1.10 are not vulnerable.

Norman Shark Industrial Control System Protection
ICSP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.

Norman Shark Network Protection
NNP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.

Norman Shark SCADA Protection
NSP 5.3 prior to 5.3.6 is vulnerable to CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.

PacketShaper
PS 9.2 prior to 9.2.13p2 is vulnerable to CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.

PacketShaper S-Series
PS S-Series 11.2, 11.3, and 11.4 are vulnerable to CVE-2016-0702 (CacheBleed), CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, CVE-2016-0800 (DROWN), and CVE-2016-2842.  PS S-Series 11.5 prior to 11.5.3.1 is vulnerable to CVE-2016-0702 (CacheBleed), CVE-2016-0705, CVE-2016-0797 and CVE-2016-0800 (DROWN).  PS S-Series 11.5 prior to 11.5.3.2 is vulnerable to CVE-2016-0799 and CVE-2016-2842. PS S-Series 11.6, 11.7, 11.8 and 11.9 are not vulnerable.

PolicyCenter
PC 9.2 prior to 9.2.13p2 is vulnerable to CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.

PolicyCenter S-Series
PC S-Series 1.1 prior to 1.1.2.1 is vulnerable to CVE-2016-0702 (CacheBleed), CVE-2016-0705, CVE-2016-0797, and CVE-2016-0800 (DROWN).  PC S-Series 1.1 prior to 1.1.2.2 is vulnerable to CVE-2016-0799 and CVE-2016-2842.

ProxyAV
ProxyAV 3.5 prior to 3.5.4.2 is vulnerable to CVE-2016-0705, CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.  ProxyAV 3.5 is also vulnerable to CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 (DROWN) if SSLv2 is enabled for the management console or secure ICAP server.

ProxyClient
ProxyClient 3.4 for Windows is vulnerable to CVE-2016-0702, CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.

ProxySG
ProxySG 6.5 prior to 6.5.9.8 is vulnerable to CVE-2016-0702 (CacheBleed), CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.  ProxySG 6.5 is also vulnerable to CVE-2016-0800 (DROWN) when SSLv2 is enabled for the management console, forward proxy service, or reverse proxy service.  ProxySG 6.6 prior to 6.6.4.1 is vulnerable to CVE-2016-0799 and CVE-2016-2842.  ProxySG 6.6 prior to 6.6.4.3 is vulnerable to CVE-2016-0702 (CacheBleed) and CVE-2016-0797.  ProxySG 6.6 is also vulnerable to CVE-2016-0800 (DROWN) when SSLv2 is enabled for the management console, forward proxy service, or reverse proxy service.  ProxySG 6.7 is vulnerable to CVE-2016-0800 (DROWN) when SSLv2 is enabled for the management console, forward proxy service, or reverse proxy service.

Reporter
Reporter 9.4, 9.5 prior to 9.5.3, and 10.1 prior to 10.1.4.2 are vulnerable to CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.  Reporter 9.4 and 9.5 prior to 9.5.3 are also vulnerable to CVE-2016-0702, CVE-2016-0703, and CVE-2016-0704.  Reporter 9.4 and 9.5 are also vulnerable to CVE-2016-0800 (DROWN) when SSLv2 is enabled for the management console.

Security Analytics
Security Analytics 6.6 prior 6.6.12, 7.0, and 7.1 prior to 7.1.11 are vulnerable to CVE-2016-0702 (CacheBleed), CVE-2016-0705, CVE-2016-0797, and CVE-2016-0798.  Security Analytics 6.6, 7.0, and 7.1 are also vulnerable to CVE-2016-0799 and CVE-2016-2842.  Security Analytics 7.2 and 7.3 are not vulnerable.

SSL Visibility
SSLV 3.8, 3.8.4FC, and 3.9 prior to 3.9.3.6 are vulnerable to CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.  SSLV 3.10, 3.11, 4.0 and 4.1 are not vulnerable.

Unified Agent
UA 4.1 and 4.6 are vulnerable to CVE-2016-0702, CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.  Unified Agent 4.7 is not vulnerable.

X-Series XOS
XOS 9.7, 10.0 prior to 10.0.6, and 11.0 prior to 11.0.2 are vulnerable to CVE-2015-0705 and CVE-2016-0797.  XOS 9.7, 10.0, and 11.0 are also vulnerable to CVE-2016-0702, CVE-2016-0799, and CVE-2016-2842.

The following products are not vulnerable:
AuthConnector
Blue Coat HSM Agent for the Luna SP
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
ProxyAV ConLog and ConLogXP

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

The following products are under investigation:
IntelligenceCenter Data Collector

Advisory Details: 

This Security Advisory addresses multiple vulnerabilities announced in OpenSSL Security Advisory 1st Mar 2016.  Blue Coat products that include a vulnerable version of OpenSSL and make use of the affected functionality are vulnerable.

  • CVE-2016-0702 (CacheBleed) is a flaw in the modular exponentiation implementation that allows a local attacker controlling a processing thread running on an Intel Sandy Bridge CPU hyper-threaded core to use cache bank conflicts to recover RSA keys from another thread performing RSA operations on the same CPU core.
  • CVE-2016-0703 is a flaw in the SSLv2 server module that allows a remote man-in-the-middle (MITM) attacker to intercept an SSLv2 handshake and perform an oracle attack against the SSLv2 server to recover the session master secret.  The attacker can use the master secret to decrypt and modify the encrypted data in the live SSLv2 session. This attack is a more efficient variant of the DROWN attack (CVE-2016-0800) that does not require the affected server to support export-grade cipher suites.
  • CVE-2016-0704 is a flaw in the SSLv2 server module that allows a remote MITM attacker to intercept an SSLv2 handshake and perform an oracle attack against the SSLv2 server to recover the session master secret.  The attacker can use the master secret to decrypt and modify the encrypted data in the live SSLv2 session. This attack is a more efficient variant of the DROWN attack (CVE-2016-0800) that does not require the affected server to support export-grade cipher suites.
  • CVE-2016-0705 is a flaw in DSA private key parsing that allows a remote attacker to send a malformed DSA private key to the target and cause memory corruption, resulting in an application crash and denial of service.
  • CVE-2016-0797 is a flaw in large number binary conversion that allows a remote attacker to send a large decimal or hexadecimal number to the target and cause memory corruption. This attack can result in denial of service through an application crash, or possible arbitrary code execution.
  • CVE-2016-0798 is a flaw in SRP user lookups that allows a remote attacker to connect to an SRP server with an invalid SRP user name and cause a memory leak on the server, resulting in an application crash and denial of service.
  • CVE-2016-0799 is a flaw in string formatting during large string input/output that allows a remote attacker to send a large string to the target and cause illegal memory accesses, resulting in an application crash and denial of service.
  • CVE-2016-0800 (DROWN) is a padding oracle flaw in the SSLv2 protocol that allows a remote attacker to decrypt passively captured sessions to a TLSv1.x server if the server uses the same RSA private key as a server that support SSLv2 and export-grade cipher suites.
  • CVE-2016-2842 is a flaw in memory allocation during large string input/output that allows a remote attacker to send a large string to the target and cause illegal memory accesses, resulting in an application crash and denial of service.

Blue Coat products may act as both client and server in SSL/TLS connections, and may use application functionality for cryptographic operations.  Blue Coat products act as a client when connecting to Blue Coat services such as WebPulse, DRTR, and licensing and subscription services.  Products should be considered vulnerable in all interfaces that provide SSL/TLS connections for data and management interfaces unless the CVE is specific to SSL/TLS client or server functionality (as noted in the descriptions above) or unless otherwise stated below:

  • ASG: CVE-2016-0800 (DROWN) only affects management connections, the forward proxy service, and the reverse proxy service.
  • CacheFlow: CVE-2016-0800 (DROWN) only affects management connections.
  • CAS: CVE-2016-0800 (DROWN) only affects management connections and connections to the secure ICAP server.
  • IntelligenceCenter: CVE-2016-0800 (DROWN) only affects management connections.
  • MTD: CVE-2016-0800 (DROWN) only affects management connections.
  • PacketShaper S-Series: CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 (DROWN) only affect management connections.
  • PolicyCenter S-Series: CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 (DROWN) only affect management connections.
  • ProxyAV: CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 (DROWN) only affect management connections and connections to the secure ICAP server.
  • ProxySG: CVE-2016-0800 (DROWN) affects management connections, the forward proxy service, and the reverse proxy service.
  • XOS: CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 (DROWN) only affect management connections.

Blue Coat products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs.  However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable.  Blue Coat urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.

Blue Coat products do not enable or use all functionality within OpenSSL.  The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • ASG: CVE-2016-0702 (CacheBleed), CVE-2016-0705, and CVE-2016-0798
  • Android Mobile Agent: CVE-2016-0705 and CVE-2016-0798
  • CacheFlow: CVE-2016-0702 (CacheBleed), CVE-2016-0705, and CVE-2016-0798
  • Client Connector for Windows: CVE-2016-0705
  • CAS: CVE-2016-0702 (CacheBleed)
  • MTD: CVE-2016-0702 (CacheBleed) and CVE-2016-0800 (DROWN)
  • MAA: CVE-2016-0705 and CVE-2016-0798
  • MC: CVE-2016-0702 (CacheBleed), CVE-2016-0705, and CVE-2016-0800 (DROWN).
  • ICSP: CVE-2016-0705 and CVE-2016-0798
  • NNP: CVE-2016-0705 and CVE-2016-0798
  • NSP: CVE-2016-0705 and CVE-2016-0798
  • PacketShaper: CVE-2016-0705 and CVE-2016-0798
  • PolicyCenter: CVE-2016-0705 and CVE-2016-0798
  • ProxyAV: CVE-2016-0702 (CacheBleed) and CVE-2016-0798
  • ProxyClient for Windows: CVE-2016-0705
  • ProxySG: CVE-2016-0705 and CVE-2016-0798
  • Reporter: CVE-2016-0702 (9.4 and 9.5), CVE-2016-0705 (9.5 and 10.1), and CVE-2016-0798 (9.5 and 10.1)
  • SSLV: CVE-2016-0702 (CacheBleed), CVE-2016-0705, and CVE-2016-0798
  • Unified Agent: CVE-2016-0705 (4.1 and 4.6) and CVE-2016-0798 (4.6 only)
  • XOS: CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 (DROWN)
Workarounds: 

Blue Coat's ProxySG appliance can be used to prevent the DROWN attacks using CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800.  Customers using ProxySG as a forward proxy can protect TLS servers by blocking SSLv2 flows.  ProxySG 6.5 and 6.6 customers can use the following CPL syntax:

<SSL>
client.connection.negotiated_ssl_version=SSLV2 deny
<SSL>
server.connection.negotiated_ssl_version=SSLV2 deny

CVE-2016-0800 (DROWN) can be remediated on ProxySG by disabling SSLv2 for the HTTPS management console and reverse proxy service.  SSLv2 cannot be disabled for HTTPS forward proxy deployments, but SSLv2 connections can be blocked using the CPL syntax above.

CVE-2016-0800 (DROWN) can be remediated on CacheFlow by ensuring that SSLv2 is disabled for the management console.  Customers should use the following steps in config mode to limit the SSL/TLS versions used by the management console to TLSv1.1 and TLSv1.2:

management-services
edit HTTPS-Console
attribute ssl-versions tlsv1.1v1.2
exit
exit

CVE-2016-0800 (DROWN) can be remediated on CAS by ensuring that SSLv2 is disabled for the secure ICAP server.  To view the enabled SSL/TLS protocols, access the CAS management console and navigate to the "Settings > ICAP" page.  Deselect SSLv2 under "TLS Settings" and save the changes.

CVE-2016-0800 (DROWN) can be remediated on ProxyAV by disabling SSLv2 for SSL clients, the management console and the secure ICAP server.  To view the enabled SSL/TLS protocols, access the ProxyAV management console.  Navigate to "Advanced/SSL Client" for the SSL client settings, "Network" for the management console settings and "ICAP Settings" for the secure ICAP server settings.  Deselect SSLv2 under "SSL protocols" and save the changes on each of these pages.

CVE-2016-0800 (DROWN) can be remediated on Reporter 9.5 by disabling SSLv2 for the management console.  To view the enabled SSL/TLS protocols, access the /settings/preferences.cfg file in the Reporter 9.5 installation directory.  Ensure that the following line is set to "false":

ssl_v2="false"

By default Director does not enable SSLv2 for management connections.  Customers who do not change this default behavior prevent attacks against Director using CVE-2016-0800 (DROWN).

Patches: 

Advanced Secure Gateway
ASG 6.6 - a fix for all CVEs except CVE-2016-0705 and CVE-2016-0798 is available in 6.6.5.4. A fix for CVE-2016-0705 and CVE-2016-0798 is not available at this time.

Android Mobile Agent
Android Mobile Agent 1.3 - a fix is available in 1.3.8.

BCAAA
BCAAA 6.1 - a fix will not be provided.  An updated Novell SSO SDK is no longer available.  Please, contact Novell for more information.

CacheFlow
CacheFlow 3.4 - a fix for CVE-2016-0702 (CacheBleed), CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842 is available in 3.4.2.7.  A fix for CVE-2016-0705 and CVE-2016-0798 is available in 3.4.2.8.  A fix for CVE-2016-0800 will not be provided.  Disabling SSLv2 for the management console prevents attacks using CVE-2016-0800 (DROWN).  See Workarounds section for instructions how to disable SSLv2.

Client Connector

Client Connector 1.6 for Windows - a fix will not be provided.  Please upgrade to the latest version of Unified Agent with the vulnerability fixes.

Content Analysis System
CAS 2.1 - a fix for CVE-2016-0800 (DROWN) will not be provided.  Disabling SSLv2 in the secure ICAP server prevents attacks using CVE-2016-0800 (DROWN).  See Workarounds section for instructions how to disable SSLv2.
CAS 1.3 - a fix for all CVEs except CVE-2016-0800 (DROWN) is available in 1.3.7.1.  A fix for CVE-2016-0800 (DROWN) will not be provided.  Disabling SSLv2 in the secure ICAP server prevents attacks using CVE-2016-0800 (DROWN).  See Workarounds section for instructions how to disable SSLv2.
CAS 1.2 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

Director
Director 6.1 - a fix is available in 6.1.22.1.

IntelligenceCenter
IC 3.3 - a fix is not available at this time.

Mail Threat Defense
MTD 1.1 - a fix for CVE-2016-0702 (CacheBleed), CVE-2016-0705, CVE-2016-0797, and CVE-2016-0800 (DROWN) is available in MTD 1.1.2.1.  A fix for CVE-2016-0799 and CVE-2016-2842 is not available at this time.

Malware Analysis Appliance
MAA 4.2 - a fix is available in 4.2.9.

Management Center
MC 1.6 - a fix is available in 1.6.1.1.
MC 1.5 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is available in 5.3.6.

Norman Shark Network Protection
NNP 5.3 - a fix is available in 5.3.6.

Norman Shark SCADA Protection
NSP 5.3 - a fix is available in 5.3.6.

PacketShaper
PS 9.2 - a fix is available in 9.2.13p2.

PacketShaper S-Series
PS S-Series 11.5 - a fix for CVE-2016-0702 (CacheBleed), CVE-2016-0705, CVE-2016-0797, and CVE-2016-0800 (DROWN) is available in 11.5.3.1.  A fix for all CVEs is available in 11.5.3.2.
PS S-Series 11.4 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
PS S-Series 11.3 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
PS S-Series 11.2 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

PolicyCenter
PC 9.2 - a fix is available in 9.2.13p2.

PolicyCenter S-Series
PC S-Series 1.1 - a fix for CVE-2016-0702 (CacheBleed), CVE-2016-0705, CVE-2016-0797, and CVE-2016-0800 (DROWN) is available in 1.1.2.1.  A fix all CVEs is available in 1.1.2.2.

ProxyAV
ProxyAV 3.5 - a fix is available in 3.5.4.2.

ProxyClient
ProxyClient 3.4 for Windows - a fix will not be provided.  Please upgrade to the latest version of Unified Agent with the vulnerability fixes.

ProxySG
ProxySG 6.7 - a fix for all CVEs except CVE-2016-0800 (DROWN) is available in 6.7.1.1.  A fix for CVE-2016-0800 (DROWN) will not be provided.  Disabling SSLv2 for the management console, forward proxy service, and reverse proxy service prevents attacks using CVE-2016-0800 (DROWN).  See Workarounds section for instructions how to disable SSLv2.
ProxySG 6.6 - a fix for CVE-2016-0799 and CVE-2016-2842 is available in 6.6.4.1.  A fix for CVE-2016-0702 and CVE-2016-0797 is available in 6.6.4.3.  A fix for CVE-2016-0800 (DROWN) will not be provided.  Disabling SSLv2 for the management console, forward proxy service, and reverse proxy service prevents attacks using CVE-2016-0800 (DROWN).  See Workarounds section for instructions how to disable SSLv2.  A fix for the other CVEs is not available at this time.
ProxySG 6.5 - a fix for CVE-2016-0702 (CacheBleed), CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842 is available in 6.5.9.8.  A fix for CVE-2016-0705 and CVE-2016-0798 is available in 6.5.10.4.  A fix for CVE-2016-0800 (DROWN) will not be provided.  Disabling SSLv2 for the management console, forward proxy service, and reverse proxy service prevents attacks using CVE-2016-0800 (DROWN).  See Workarounds section for instructions how to disable SSLv2.

Reporter
Reporter 10.1 - a fix for all CVEs is available in 10.1.4.2.
Reporter 9.5 - a fix for all CVEs except CVE-2016-0800 (DROWN) is available in 9.5.3.  A fix for CVE-2016-0800 (DROWN) will not be provided.  Disabling SSLv2 for the management console prevents attacks using CVE-2016-0800 (DROWN).  See Workarounds section for instructions how to disable SSLv2.
Reporter 9.4 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

Security Analytics
Security Analytics 7.2 - a fix for all CVEs is available in 7.2.1.
Security Analytics 7.1 - a fix for CVE-2016-0702 (CacheBleed), CVE-2016-0705, CVE-2016-0797, and CVE-2016-0798 is available in 7.1.11.  A fix for CVE-2016-0799 and CVE-2016-2842 is available through a patch RPM from Blue Coat Support.
Security Analytics 7.0 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
Security Analytics 6.6 - a fix for CVE-2016-0702 (CacheBleed), CVE-2016-0705, CVE-2016-0797, and CVE-2016-0798 is available in 6.6.12.  A fix for CVE-2016-0799 and CVE-2016-2842 is available through a patch RPM from Blue Coat Support.

SSL Visibility
SSLV 3.9 - a fix is available in 3.9.3.6.
SSLV 3.8.4FC - a fix is not available at this time.
SSLV 3.8 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

Unified Agent
UA 4.7 - a fix is available in 4.7.1.
UA 4.6 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
UA 4.1 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

X-Series XOS
XOS 11.0 - a fix for CVE-2016-0703, CVE-2016-0704, CVE-2015-0705, CVE-2016-0797, and CVE-2016-0800 (DROWN) is available in 11.0.2.  A fix for CVE-2016-0702, CVE-2016-0799, and CVE-2016-2842 is not available at this time.
XOS 10.0 - a fix for CVE-2016-0703, CVE-2016-0704, CVE-2015-0705, CVE-2016-0797, and CVE-2016-0800 (DROWN) is available in 10.0.6.  A fix for CVE-2016-0702, CVE-2016-0799, and CVE-2016-2842 is not available at this time.
XOS 9.7 - a fix is not available at this time.

Advisory History: 

2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-21 Reporter 9.4, 9.5, and 10.1 are vulnerable to CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842.  Reporter 9.4 and 9.5 are also vulnerable to CVE-2016-0702, CVE-2016-0703, CVE-2016-0704.  Reporter 9.4 and 9.5 are also vulnerable to CVE-2016-0800 (DROWN) when SSLv2 is enabled for the management console.  A fix for all CVEs except CVE-2016-0800 (DROWN) in Reporter 9.5 is available in 9.5.3.  A fix for CVE-2016-0800 (DROWN) will not be provided.  Disabling SSLv2 for the management console prevents attacks using CVE-2016-0800 (DROWN).  See Workarounds section for instructions how to disable SSLv2.  A fix for Reporter 10.1 is available in 10.1.4.2.
2017-07-20 MC 1.10 is not vulnerable.
2017-07-12 A fix for CVE-2016-0800 in CacheFlow will not be provided.  Disabling SSLv2 for the management console prevents attacks using CVE-2016-0800 (DROWN).  See Workarounds section for instructions how to disable SSLv2.
2017-06-30 A fix for the remaining CVE-2016-0705 and CVE-2016-0798 in ProxySG 6.5 is available in 6.5.10.4.
2016-06-30 A fix for ProxyAV 3.5 is available in 3.5.4.2.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PacketShaper S-Series 11.8 is not vulnerable.
2017-05-19 CAS 2.1 is vulnerable to CVE-2016-0800 (DROWN) when SSLv2 is enabled for the secure ICAP server.  A fix will not be provided.  Disabling SSLv2 in the secure ICAP server prevents attacks using CVE-2016-0800 (DROWN).  See Workarounds section for instructions how to disable SSLv2.
2017-04-29 A fix for CVE-2016-0705 and CVE-2016-0798 in CacheFlow 3.4 is available in 3.4.2.8.
2017-03-30 MC 1.9 is not vulnerable.
2017-03-29 A fix for all CVEs except CVE-2016-0705 and CVE-2016-0798 in ASG 6.6 is available in 6.6.5.4.
2017-03-06 MC 1.8 is not vulnerable.  SSLV 4.0 is not vulnerable.  ProxySG 6.7 is vulnerable to CVE-2016-0800 (DROWN) when SSLv2 is enabled for the management console, forward proxy service, or reverse proxy service.  A fix will not be provided.  Disabling SSLv2 for the management console, forward proxy service, and reverse proxy service prevents attacks using CVE-2016-0800 (DROWN).
2017-02-07 A fix for Android Mobile Agent is avaialble in 1.3.8.
2016-11-29 A fix for Director is available in 6.1.22.1.  PacketShaper S-Series 11.7 is not vulnerable.  SSLV 3.11 is not vulnerable.  Customers should contact Digital Guardian regarding vulnerability information for DLP.  A fix for CVE-2016-0800 (DROWN) will not be provided for ProxySG 6.5 and 6.6.  Disabling SSLv2 for the management console, forward proxy service, and reverse proxy service prevents attacks using CVE-2016-0800 (DROWN).  See Workarounds section for instructions how to disable SSLv2.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-11-03 MC 1.5 has vulnerable code for CVE-2016-0800 (DROWN), but is not vulnerable to known vectors of attack.  A fix for MC 1.5 will not be provided.  A fix for MC 1.6 is available in 1.6.1.1.  MC 1.7 is not vulnerable.
2016-11-03 A fix for PacketShaper 9.2 is available in 9.2.13p2.  A fix for PolicyCenter 9.2 is available in 9.2.13p2.
2016-08-19 A fix for CVE-2016-0702 (CacheBleed), CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842 in CacheFlow is available in 3.4.2.7.
2016-08-12 A fix for all CVEs except CVE-2016-0800 (DROWN) in CAS 1.3 is available in 1.3.7.1.  A fix for CVE-2016-0800 (DROWN) will not be provided.  Disabling SSLv2 in the secure ICAP server prevents attacks using CVE-2016-0800 (DROWN).  See Workarounds section for instructions how to disable SSLv2.  Security Analytics 7.2 is not vulnerable.
2016-08-10 A fix for Unified Agent is available in 4.7.1.  CacheFlow 3.4 has vulnerable code for CVE-2016-0702 (CacheBleed), but is not vulnerable to known vectors of attack.
2016-07-25 Corrected the outstanding fixes for ProxySG 6.6 in the Patches section.
2016-07-23 A fix for CVE-2016-0702 and CVE-2016-0797 in ProxySG 6.6 is available in 6.6.4.3
2016-07-16 It was previously reported that XOS is vulnerable to CVE-2016-0703, CVE-2016-0704, and CVE-2016-0800 (DROWN).  Further investigation has shown that XOS only has vulnerable code for those CVEs, but is not vulnerable to known vectors of attack.  Fixes for CVE-2016-0703, CVE-2016-0704, CVE-2015-0705, CVE-2016-0797, and CVE-2016-0800 (DROWN) are available in XOS 10.0.6 and 11.0.2.
2016-06-30 PacketShaper S-Series 11.6 is not vulnerable.
2016-06-28 Fixes for PacketShaper S-Series 11.2, 11.3, and 11.4 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2016-06-27 A fix for Client Connector will not be provided.  Please upgrade to the latest version of Unified Agent with the vulnerability fixes.
2016-06-24 A fix for all CVEs in PacketShaper S-Series is available in 11.5.3.2.  A fix for all CVEs in PolicyCenter S-Series is available in 1.1.2.2.
2016-06-21 It was previously reported that a fix for CVE-2016-0702 (CacheBleed) and CVE-2016-0797 for ProxySG 6.6 is provided in 6.6.4.1.  Further investigation has shown that ProxySG 6.6 is still vulnerable to these CVEs.
2016-06-21 A fix for CVE-2016-0702 (CacheBleed), CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842 in ProxySG 6.6 is available in 6.6.4.1.  A fix for the other CVEs is not available at this time.
2016-06-14 A fix for SA 7.0 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-06-11 A fix for CVE-2016-0702 (CacheBleed), CVE-2016-0797, CVE-2016-0799, and CVE-2016-2842 in ProxySG 6.5 is available in 6.5.9.8.  A fix for the other CVEs is not available at this time.
2016-06-07 A fix for SSLV 3.9 is available in 3.9.3.6.  No version of SSLV is vulnerable to CVE-2016-0800 (DROWN).
2016-06-03 A fix for MAA is available in 4.2.9.
2016-05-25 The remaining fixes for Security Analytics 6.6 and 7.1 are available through a patch RPM from Blue Coat Support.
2016-05-17 Security Analytics 6.6, 7.0 and 7.1 are vulnerable and partial fixes are available in 6.6.12 and 7.1.11.
2016-05-12 A fix for SSLV 3.8 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-28 Fixes for CVE-2016-0702 (CacheBleed), CVE-2016-0705, CVE-2016-0797, and CVE-2016-0800 (DROWN) are available in PS S-Series 11.5.3.1 and PC S-Series 1.1.2.1.
2016-04-25 MTD 1.1 is vulnerable to and has vulnerable code for multiple CVEs.  A partial fix is available in MTD 1.1.2.1.
2016-04-21 PacketShaper S-Series and PolicyCenter S-Series are not vulnerable to CVE-2016-0703 and CVE-2016-0704.
2016-04-15 A fix will not be provided for CAS 1.2.  Please upgrade to a later version with the vulnerability fixes.
2016-04-12 Updated CVSS v2 scores to match the scores in the National Vulnerability Database. Added CVE-2016-2842 as a vulnerability independent of CVE-2016-0799.
2016-03-07 initial public release