SA83 : SSL v3 Poodle Attack

Click to Subscribe
Security Advisory ID: 
SA83
Published Date: 
Oct 15, 2014
Advisory Status: 
Interim
Advisory Severity: 
Medium
CVSS v2 base score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE Number: 
CVE-2014-3566

Blue Coat products using affected versions of OpenSSL and the SSLv3 protocol have a padding-oracle cryptography flaw. A man-in-the-middle attacker can use this flaw to obtain plain text from the intercepted SSL session.

Affected Products:

The following products are vulnerable:

Advanced Secure Gateway
ASG 6.6 is vulnerable. It disables SSL v3 by default for all connections other than the SSL/TLS proxy.  SSLv3 can be disabled for the SSL/TLS proxy.  ASG 6.6 is not vulnerable to the SSL v3 downgrade attack.

BCAAA
All versions of BCAAA are vulnerable when using CoreID and Novell SSO.  SSLv3 cannot be disabled within either the CoreID or Novell SDKs.  When using Siteminder, SSL/TLS is not used.  When using IWA-BCAAA and WinSSO, BCAAA uses the settings provided by Windows for SSL/TLS connections; SSL v3 can be disabled in the Windows configuration.

CacheFlow
All versions of CacheFlow prior to 3.4.2.1 have SSL v3 enabled by default for the management console and the default device profile.  In 3.4.2.1, both SSL v2 and SSL v3 are disabled by default for newly reinitialized systems.  Both can be disabled in previous versions.

Content Analysis System
Important:  CAS 1.2.4.x prior to 1.2.4.5 may also be vulnerable.  See Advisory Details below for more information.
All versions of CAS 1.x prior to 1.2.4.4 are vulnerable.  SSL v3 is enabled for HTTPS connections to MAA, secure syslog messages, HTTPS administrative connections, and connections to Blue Coat and cannot be disabled.  Secure ICAP connections have SSL v3 enabled by default, but it can be disabled.

Director
Director 5.x,  and 6.x prior to 6.1.16.1 are vulnerable. SSL v3 cannot be disabled.

DLP
All versions of DLP prior to 9.1 are vulnerable.

IntelligenceCenter
All versions of IC prior to 3.3.3 are vulnerable.

Malware Analysis Appliance
MAA 1.1.x and 4.1.x are vulnerable. SSL v3 cannot be disabled.

Malware Analyzer G2
All versions of MAG2 prior to 4.1.9 are vulnerable. SSL v3 cannot be disabled.

Management Center
MC 1.x prior to 1.2.1.1 also enables SSLv3 for the management console.  MC 1.x prior to 1.4.1.1 is vulnerable to SSLv3 downgrade attacks.  MC 1.x prior to 1.5.1.1 enable SSLv3 for client connections for diagnostics uploads, client certificate downloads, backup, and to Blue Coat services.  MC 1.6, 1.7, 1.8, 1.9, and 1.10 are not vulnerable.

Norman Shark Industrial Control System Protection
ICSP 5.x prior to 5.2.3 enables SSL v3 for connections to the WEBUI and it cannot be disabled.  The default configuration of ICSP 5.x does not use SSL/TLS client connections.  If SSL/TLS client connections are used, ICSP 5.x prior to 5.3.2 is vulnerable to the SSL v3 downgrade attack.  SSLv3 is enabled for client connections and can be disabled.

Norman Shark Network Protection
NNP 5.x prior to 5.2.3 enables SSL v3 for connections to the WEBUI and it cannot be disabled.  The default configuration of NNP 5.x does not use SSL/TLS client connections.  If SSL/TLS client connections are used, NNP 5.x prior to 5.3.2 is vulnerable to the SSL v3 downgrade attack.  SSLv3 is enabled for client connections and can be disabled.

Norman Shark SCADA Protection
NSP 5.x prior to 5.2.3 enables SSL v3 for connections to the WEBUI and it cannot be disabled.  The default configuration of NSP 5.x does not use SSL/TLS client connections.  If SSL/TLS client connections are used, NSP 5.x prior to 5.3.2 is vulnerable to the SSL v3 downgrade attack.  SSLv3 is enabled for client connections and can be disabled.

PacketShaper
All versions of PacketShaper prior to 9.2.9 are vulnerable.  SSL v3 is enabled by default for all connections, but can be disabled for all connections except LDAPS.  SSL v3 connections cannot be disabled for client connections to Blue Coat.

PacketShaper S-Series
All PS 11.x versions prior to 11.2.1.7 are vulnerable. PS S-Series 11.3, 11.4, 11.5, 11.6, 11.7, 1.8 and 11.9 are not vulnerable.
 

PolicyCenter
All versions of PolicyCenter prior to 9.2.9 are vulnerable.  SSL v3 is enabled by default for all connections, but can be disabled for all connections except LDAPS.  SSL v3 connections cannot be disabled for client connections to Blue Coat.

ProxyAV
All versions of ProxyAV have SSL v3 enabled by default for secure ICAP and HTTPS administrative connections, but SSL v3 can be disabled.

ProxyClient
ProxyClient 3.4 prior to 3.4.4.10, and 3.3 prior to 3.3.3.3 are vulnerable.  SSL v3 is enabled and cannot be disabled.

ProxySG
SGOS 6.5, 6.6, and 6.7 disable SSL v3 by default for all connections other than SSL/TLS proxy. SSL v3 can be disabled for SSL/TLS proxy.
SGOS 5.5, and 6.1 thru 6.4 enable SSL v3 by default for all connections. SSL v3 can be disabled for all connections.

Reporter
Reporter 9.x for Linux, Windows, and the ISO version (Virtualized Reporter) are vulnerable.  SSL v3 cannot be disabled for connections to Blue Coat to download access log from Cloud Portal or to upload diagnostic and heartbeat data to Blue Coat.  SSL v3 is enabled by default for web server connections and cannot be disabled.

Security Analytics Platform
SA 6.6 prior to 6.6.10, 7.0, and 7.1 prior to 7.1.6 are vulnerable.  SA 7.2 and 7.3 are not vulnerable.

SSL Visibility
SSLV prior to 3.7.0 enable SSLv3 for management connections to the Web UI.  SSLV prior to 3.8.3 enable SSLv3 for connections to the HSM Agent for the SafeNet Luna SP, and to Blue Coat WebPulse.  SSLv3 cannot be disabled.  SSLV prior to 3.7.4 and 3.8.2 are also vulnerable to the SSLv3 downgrade attack.  SSLV 3.8.4FC, 3.9, 3.10, 3.11, 4.0 and 4.1 are not vulnerable.

Unified Agent
Unified Agent 4.x prior to 4.1.3.151952 are vulnerable.  SSL v3 is enabled and cannot be disabled.

X-Series XOS
All versions of XOS include an embedded Web server that is is vulnerable. A workaround to disable SSL v3 on connections to the embedded Web server is available.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
Mail Threat Defense
PolicyCenter S-Series
ProxyAV ConLog and ConLogXP

Advisory Details: 

Version 3 of the SSL protocol (SSL v3) was released in 1996. There are several known vulnerabilities in SSL v3 that have been addressed in later versions of the protocol (TLS v1.0, 1.1, and 1.2). The POODLE attack exploits a cryptographic flaw in the cipher block padding mechanism implemented in SSL v3. This flaw has been addressed in later versions of the TLS protocol. Hence, the POODLE attack is specific to SSL v3 sessions.

Clients and servers negotiate the version of the SSL/TLS protocol that is used. The protocol negotiation (sometimes called the downgrade dance) allows the client and server to agree to use the latest protocol version that both support. Due to server interoperability difficulties, clients were designed to be more forgiving of non-standard errors from servers. Because of this, clients can be tricked into downgrading to the earliest protocol version that they support - often SSL v3. The POODLE attack uses this implementation flaw to force clients to downgrade to SSL v3, even if the client and server both support newer versions of the TLS protocol. Once the attacker ensures that SSL v3 is used, POODLE can exploit the cryptographic flaw. If SSL v3 is not supported by the client or the server, an attacker cannot use the POODLE attack.

The cryptographic flaw in the cipher block padding mechanism allows an attacker to obtain clear text data from an SSL v3 session. The attacker must be a man-in-the-middle that is able to inject chosen plain text into the session. Over time, the attacker will be able to use the flaw to obtain clear text data (e.g., a cookie) from the session in a manner similar to BEAST.

Blue Coat products that use OpenSSL, act as SSL servers, and only support SSL v3 are vulnerable. Clients and servers using OpenSSL that support SSL v3 are vulnerable unless SSL v3 is disabled.

A new TLS_FALLBACK_SCSV feature was added to the TLS protocol to protect clients from the SSL v3 downgrade attack.  The feature allows a TLS client to signal when it downgrades to SSL v3 due to suspected interoperability.  The server rejects the connection if it supports TLS v1.0 or higher and receives the TLS_FALLBACK_SCSV signal.  Blue Coat products that use OpenSSL, act as SSL clients, and do no support TLS_FALLBACK_SCSV are vulnerable to the SSL v3 download attack.

Important note about CAS:  CAS 1.2.4.5 and later address the vulnerability fully.  CAS 1.2.4.4 addresses this vulnerability for all interfaces in most but not all circumstances.  If CAS 1.2.4.4 is installed as a new installation, it is not vulnerable.  If it is installed as an upgrade from a previous version and no changes were made to the web server settings, CAS 1.2.4.4 is vulnerable in the administrative interface.  See the Workarounds section below for information about how to disable SSL v3 for CAS 1.1.x and 1.2.x prior to 1.2.4.5.

Workarounds: 

To exercise this attack, both the server and client must support SSL v3.  Disabling SSL v3 (and earlier) in clients and servers will completely prevent the attack.  If SSL v3 can be disabled in only the client or the server, the attack will be completely prevented as well.  Clients include browsers as well as products that act as a client in the SSL/TLS connection (e.g., product that contact a remote server such as WebPulse over an SSL/TLS connection).

To ensure that an attack is not possible, Blue Coat recommends disabling SSL v3 on all clients and servers.  Before disabling SSL v3, please verify that it will not cause backwards compatability problems when connecting to other servers and clients. 

For CacheFlow systems using a version prior to 3.4.2.1 or using 3.4.2.1 that was not newly reinitialized, SSL v2 and SSL v3 need to be disabled for the management console and the default device profile. The following steps can be used to disable SSL v3 from config mode in CacheFlow 2.x and 3.x:

ssl
edit ssl-device-profile default
protocol TLSv1
exit
exit
management-services
edit HTTPS-Console
attribute ssl-versions TLSv1
exit
exit

For CAS 1.1.x and 1.2.x prior to 1.2.4.5, disable SSL v3 in ICAPS by going to "Settings" and selecting "ICAP".  Uncheck "SSL v3" in the TLS settings section and save changes.  Other uses of SSL v3 cannot be disabled.

CAS 1.2.4.4 addresses this vulnerability for all interfaces in most but not all circumstances.  If CAS 1.2.4.x is installed as a new installation, it is not vulnerable.  If it is installed as an upgrade from a previous version and no changes were made to the web server settings, CAS 1.2.4.4 is vulnerable in the administrative interface due to a flaw in deploying the updated configuration to disable SSL v3.  The workaround to ensure SSL v3 is disabled in the administrative console is:

  1. Go to the administration console and navigate to “Settings > Web Management”.  Go to “Web Server”.
  2. Modify one setting (e.g., the port number for HTTPS administration).  Click “Save Changes”.
  3. Wait 30 seconds for the system to fully accept the change.
  4. Change the setting back to the original value.  Click “Save Changes”.

CAS 1.2.4.5 and later fully addresses this vulnerability in all circumstances.

For ProxyAV, disable SSL v3 in three services:

HTTPS web UI:  go to "Network".  Uncheck "SSL v3" and save changes.
ICAPS:  go to "ICAP Settings".  Uncheck "SSL v3" and save changes.
Outgoing SSL/TLS requests:  go to "Advanced" and select "SSL Client".  Uncheck "SSL v3" and save changes.

For ASG and ProxySG, disable SSL v3 for all device profiles. To protect SSL/TLS proxy interception, SSL v3 can be disabled via policy rules to deny SSL v3 connections for clients, servers, or both. Disabling SSL v3 will block block access to clients and/or servers that support only SSL v3 and do not support the more recent TLS 1.0, 1.1, or 1.2 protocols.  These rules can be used to deny SSL v3 when acting as a client and server:

<SSL>
client.connection.negotiated_ssl_version=SSLV3 deny
<SSL>
server.connection.negotiated_ssl_version=SSLV3 deny

These rules can be used to make sure that both SSL v2 and v3 cannot be used when acting as a client and a server:

<SSL>
client.connection.negotiated_ssl_version=(SSLV3,SSLV2) force_deny
<SSL>
server.connection.negotiated_ssl_version=(SSLV3,SSLV2) force_deny

For Reporter 9.5, disable SSL v3 in the /settings/preferences.cfg file in the Reporter 9.5 installation directory.  Ensure that the following line is set to "false":

ssl_v3="false"

SSL v3 cannot be disabled in Reporter 9.4.  Previously, this Security Advisory reported that SSL v3 can be disabled by editing the /settings/preferences.cfg file in Reporter 9.4.  However, this configuration change results in a reset of TLS/SSL connections.  Hence, this configuration change is no longer recommended in Reporter 9.4.

For SSL Visibility, disable SSL v3 in the Tomcat configuration for the SafeNet Luna SP.  This workaround should be deployed with the SSL Visibility fix.  No workaround is available for protecting the connection to WebPulse.

For X-Series, disable SSL v3 by specifying the allowed TLS protocols in the HTTP Connector definition in the Tomcat server.xml configuration file:

protocols="TLSv1,TLSv1.1,TLSv1.2"
Patches: 

Advanced Secure Gateway
ASG 6.6 - disable SSL v3 for all connections as described in the Workarounds section.

BCAAA
BCAAA 6.x - a fix will not be provided.  CoreID is no longer supported and an updated Novell SDK is not available.
BCAAA 5.x - a fix will not be provided.

CacheFlow
A fix is available in 3.x to disable SSL v3 by default for newly reinitialized or installed systems. Customers who cannot reinitialize their system must follow the workarounds to disable SSL v3 for the management console and the default device profile as described in the Workarounds section.
CacheFlow 3.x - SSL v3 is disabled by default in 3.4.2.1 for newly reinitialized systems.  A fix for the SSL v3 downgrade attack is available in 3.4.2.5.
CacheFlow 2.x - a fix will not be provided.

Content Analysis System
CAS 1.2 - a fix is available in 1.2.4.4.  Blue Coat recommends the use of 1.2.4.5 and later.
CAS 1.1 - a fix will not be provided.  Please upgrade to the latest CAS release with the vulnerability fix.

Director
Director 6.1 - a fix is available in 6.1.16.1 that disables SSL v3 completely.
Director 5.x - a fix will not be provided.  Please upgrade to the latest Director release with the vulnerability fix.

DLP
DLP 9.x - a fix is available in 9.1.
DLP 8.x - a fix will not be provided.  Please upgrade to the latest DLP release with the vulnerability fix.
DLP 7.x - a fix will not be provided.  Please upgrade to the latest DLP release with the vulnerability fix.

IntelligenceCenter
IC 3.3 - a fix is available in 3.3.3.
IC 3.2 - a fix will not be provided.  Please upgrade to the latest IC release with the vulnerability fix.

Malware Analysis Appliance
MAA 4.1.x - a fix is available in 4.1.9.

Malware Analyzer G2
MAG2 4.1 and prior – a fix will not be provided. Please upgrade to the latest MAA 4.x release with the vulnerability fix.

Management Center
MC 1.5 - SSLv3 is disabled for all client connections in 1.5.1.1.
MC 1.4 - a fix for the SSL v3 downgrade attack is available in 1.4.1.1.
MC 1.3 - a fix for the SSL v3 downgrade attack will not be provided.  Please upgrade to the latest MC release with the vulnerability fix.
MC 1.2 – SSL v3 is disabled for the management console in 1.2.1.1.  A fix for the SSL v3 downgrade attack will not be provided.  Please upgrade to the latest MC release with the vulnerability fix.
MC 1.1 – a fix will not be provided. Please upgrade to the latest MC release with the vulnerability fix.

Norman Shark Industrial Control System Protection
ICSP customers are advised to upgrade as soon as possible to the release listed below. Customers who cannot upgrade immediately may obtain patches for 5.2.1 and 5.1.0 from Blue Coat Support.
ICSP 5.3 – A fix for the SSL v3 downgrade attack is available in 5.3.2.
ICSP 5.2 – SSL v3 is disabled for connections to the WEBUI in 5.2.3.  A fix for the SSL v3 downgrade attack will not be provided.  Please upgrade to the latest ICSP release with the vulnerability fix.
ICSP 5.1 and earlier – a fix will not be provided.  Please deploy the patch or upgrade to the latest ICSP release with the vulnerability fixes.

Norman Shark Network Protection
NNP customers are advised to upgrade as soon as possible to the release listed below. Customers who cannot upgrade immediately may obtain patches for 5.2.1 and 5.0.1, 5.0.0, 4.2.9, and 4.2.8 from Blue Coat Support.
NNP 5.3 – A fix for the SSL v3 downgrade attack is available in 5.3.2.
NNP 5.2 – SSL v3 is disabled for connections to the WEBUI in 5.2.3.  A fix for the SSL v3 downgrade attack will not be provided.  Please upgrade to the latest NNP release with the vulnerability fix.
NNP 5.1 and earlier – a fix will not be provided.  Please deploy the patch or upgrade to the latest NNP release with the vulnerability fixes.

Norman Shark SCADA Protection
NSP customers are advised to upgrade as soon as possible to the release listed below. Customers who cannot upgrade immediately may obtain patches for 5.2.1 and 5.0.1, 5.0.0, 4.2.9, and 4.2.8 from Blue Coat Support.
NSP 5.3 – A fix for the SSL v3 downgrade attack is available in 5.3.2.
NSP 5.2 – SSL v3 is disabled for connections to the WEBUI in 5.2.3.  A fix for the SSL v3 downgrade attack will not be provided.  Please upgrade to the latest NSP release with the vulnerability fix.
NSP 5.1 and earlier – a fix will not be provided.  Please deploy the patch or upgrade to the latest NSP release with the vulnerability fixes.

PacketShaper
PSOS 9.2 - a  fix is available in 9.2.9 to disable SSL v3 by default for all connections except LDAPS.
PSOS 8.7 - a fix will not be provided.  Please upgrade to the latest release with the vulnerability fix.

PacketShaper S-Series
PS 11.2 - a fix is available in 11.2.1.7.

PolicyCenter
PolicyCenter 9.2 - a fix is available in 9.2.9 to disable SSL v3 by dfault for all connections except LDAPS.
PolicyCenter 8.7 - a fix will not be provided.  Please upgrade to the latest release with the vulnerability fix.

ProxyAV
Disable SSL v3 for management and client connections.

ProxyClient
ProxyClient 3.4 - a fix disabling SSL v3 is available in 3.4.4.10.
ProxyClient 3.3 - a fix disabling SSL v3 is available in 3.3.3.3.

ProxySG
Disable SSL v3 for all connections as described in the Workarounds section.

Reporter
Reporter 9.4 - a fix is not yet available.

Security Analytics Platform
SA 7.1 - a fix is available in 7.1.6.
SA 7.0 - a patch RPM to update the version of OpenSSL is available through Blue Coat Support.
SA 6.6 - a fix is available in 6.6.10.

SSL Visibility
Disable SSL v3 in the Tomcat configuration for the SafeNet Luna SP as described in the Workarounds section.  In addition, upgrade to the latest release with the vulnerability fix.
SSLV 3.8 - a fix for the SSLv3 downgrade attack is available in 3.8.2.  A fix to disable SSLv3 in connections to the SafeNet Luna SP and WebPulse is available in 3.8.3.
SSLV 3.7 - a fix for the SSLv3 downgrade attack is available in 3.7.4.  A fix to disable SSLV3 in connections to the SafeNet LunaSP and WebPulse will not be provided.  Please upgrade to the latest release with the vulnerability fix.
SSLV 3.6 - a fix will not be provided.  Please upgrade to the latest release with the vulnerability fix.
SSLV 3.5 - a fix will not be provided.  Please upgrade to the latest release with the vulnerability fix.

Unified Agent
UA 4.x - a fix disabling SSL v3 is available in 4.1.3.151952.

X-Series XOS
Disable SSL v3 in the Tomcat configuration as described in the Workarounds section.

Fixes for MAA and Norman Shark products are available only through the update system provided by the product. Fixes for other products are available to customers with a valid Blue Touch Online login.

References: 

CVE-2014-3566 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
This POODLE Bites: Exploiting the SSL 3.0 Fallback - https://www.openssl.org/~bodo/ssl-poodle.pdf

Advisory History: 

2017-08-02 SSLV 4.1 is not vulnerable.
2017-07-24 PacketShaper S-Series 11.9 is not vulnerable.
2017-07-20 MC 1.10 is not vulnerable.
2017-06-22 Security Analytics 7.3 is not vulnerable.
2017-06-05 PS S-Series 11.3, 11.4, 11.5, 11.6, 11.7, and 11.8 are not vulnerable.
2017-03-06 MC 1.6, 1.7, and 1.8 are not vulnerable.  SSLV 4.0 is not vulnerable.  ProxySG 6.7 disables SSL v3 for all interfaces other than the SSL/TLS proxy.  SSL v3 can be disabled for the SSL/TLS proxy.
2016-12-04 SSLV 3.11 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-15 SSLv3 is disabled in MC for all client connections in 1.5.1.1.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-09-23 A fix for the SSL v3 downgrade attack in CacheFlow 3.4 is available in 3.4.2.5.
2016-09-15 ASG 6.6 disables SSL v3 for all connections except the SSL/TLS proxy.  SSL v3 can be disabled for the SSL/TLS proxy.  ASG 6.6 is not vulnerable to the SSL v3 downgrade attack.
2016-08-11 Security Analytics 7.2 is not vulnerable.
2016-07-15 A fix for the SSLv3 downgrade attack is available in SSLV 3.7.4 and 3.8.2.  SSLV 3.8.4FC and 3.9 are not vulnerable.
2016-06-11 PolicyCenter S-Series is not vulnerable.
2016-05-27 ICSP, NNP, and NSP 5.2.3 disable SSL v3 for connections to the WEBUI. A fix for the SSL v3 downgrade attack is available in ICSP, NNP, and NSP 5.3.2.
2016-05-26 Added description of TLS_FALLBACK_SCSV feature to protect against the SSL v3 downgrade attack.  MC 1.2.1.1 disables SSL v3 for the management console and 1.4.1.1 contains a fix for the SSLv3 downgrade attack.
2016-05-21 Clarified that this Security Advisory only affects Blue Coat products using OpenSSL.  AuthConnector, General Auth Connector Login Application, and K9 is not vulnerable.
2016-05-20 ProxyAV ConLog and ConLogXP is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-23 Mail Threat Defense is not vulnerable.
2016-02-26 OPIC was removed as the product is no longer supported.  SSLv3 can be disabled in Reporter 9.5.
2016-01-22 Android Mobile Agent and Client Connector are not vulnerable.
2015-12-02 All fixes are available for Security Analytics Platform
2015-10-01 Fix is available in SSLV
2015-09-30 Fix is available in CAS 1.2.4.5 to disable SSLv3 in upgrade scenarios
2015-07-26 Fix is available for CacheFlow
2015-06-23 CAS 1.2.4.4 does not always disable SSLv3 for the administration console, workaround is provided
2015-06-17 CAS 1.2.3.1 is vulnerable - customers are advised to upgrade to CAS 1.2.4.4 to address the vulnerability in all interfaces
2015-03-12 Fix is available for IntelligenceCenter; clarification for PacketShaper and PolicyCenter of connections for which SSL v3 can be disabled
2015-03-11 DLP is no longer under investigation
2015-03-04 A fix is available for PacketShaper 9.2; PolicyCenter is available and a fix is available; added Android Mobile Agend and OPIC as under investigation; DLP is vulnerable and a fix is available in 9.x
2015-03-03 Security Analytics is vulnerable and fixes are available; fix is available for MC
2015-02-17 Minor update to specify which versions of ProxyClient are vulnerable (versions prior to 3.3.3.3, and 3.4.4.10)
2015-01-23 Fixes are available for ProxyClient and Unified Agent
2015-01-21 Fix is available for CAS
2015-01-20 Advanced Secure Gateway Limited Availability version is vulnerable
2015-01-13 Reporter workaround is not viable and has been removed from this Security Advisory
2014-12-11 Fix is available for Director, instructions provided for disabling SSL v3 for Reporter, a fix will not be provided for BCAAA
2014-12-10 Fix is available for PacketShaper S-Series, updates on disabling SSL v3 for MAA and CAS, SSL v3 cannot be disabled for management connections for CAS
2014-11-17 Workaround for X-Series provided
2014-11-14 SSL Visibility will not provide a fix as the workaround addresses the issue
2014-11-11 Reporter is vulnerable
2014-11-10 PacketShaper, ProxyClient, Unified Agent/Client Connector, CAS, Intelligence Center, and BCAAA are vulnerable; ProxyAV allows SSL v3 to be disabled
2014-10-20 Clarified workaround to disable SSL v3; SSL Visibility and PacketShaper S-Series are vulnerable; CacheFlow workarounds added; fix for MAA 4.1 and Norman Shark products are available; SGOS 5.5 enables SSL v3
2014-10-16 Norman Shark products are vulnerable; policy provided for ProxySG; Director 5.x vulnerable
2014-10-15 Initial public release