Blue Coat products using affected versions of OpenSSL are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to cause denial of service and obtain SSL/TLS session key information.
The following products are vulnerable:
CVE |Affected Version(s)|Remediation
CVE-2016-7055 | 6.1 | Upgrade to 6.1.23.1.
CVE |Affected Version(s)|Remediation
CVE-2016-7055 | 4.2 | Upgrade to 4.2.12.
CVE |Affected Version(s)|Remediation
CVE-2016-7055 | 5.4 and later | Not vulnerable, fixed in 5.4.1
5.3 | Upgrade to later release with fixes.
CVE |Affected Version(s)|Remediation
CVE-2016-7055 | 5.3 | A fix will not be provided.
CVE |Affected Version(s)|Remediation
CVE-2016-7055 | 5.3 | A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes.
CVE |Affected Version(s)|Remediation
CVE-2016-7055 | 4.1 and later | Not vulnerable, fixed in 4.1.1.1
4.0 | Upgrade to 4.0.2.1.
3.12 | Not vulnerable, fixed in 3.12.1.1
3.11 | Upgrade to 3.11.3.1.
3.10 | Upgrade to 3.10.4.1.
3.9 | Upgrade to later releases with fixes.
3.8.4FC | Upgrade to later releases with fixes.
CVE |Affected Version(s)|Remediation
CVE-2016-7055 | 4.8 and later | Not vulnerable, fixed in 4.8.0
4.7 | Upgrade to later release with fixes.
4.6 | Upgrade to later release with fixes.
Blue Coat products that use a native installation of OpenSSL but do not install or maintain that implementation are not vulnerable to any of these CVEs. However, the underlying platform or application that installs and maintains OpenSSL may be vulnerable. Blue Coat urges our customers to update the versions of OpenSSL that are natively installed for Client Connector for OS X, Proxy Client for OS X, and Reporter 9.x for Linux.
Blue Coat products may act as both client and server in SSL/TLS connections. Blue Coat products act as a client when connecting to Blue Coat services such as WebPulse, DRTR, and licensing and subscription services. Products that are vulnerable to CVE-2016-7055 should be considered vulnerable in all interfaces that provide SSL/TLS client and server connections.
The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Management Center
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Reporter
Security Analytics
Web Isolation
X-Series XOS
Blue Coat no longer provides vulnerability information for the following products:
DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 94244 / NVD: CVE-2016-7053 Impact| Denial of service Description | A flaw in CMS parsing allows a remote attacker to send invalid CMS data and cause denial of service through application crashes.
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 94238 / NVD: CVE-2016-7054 Impact| Denial of service Description | A flaw in the SSL/TLS client and server modules allows a remote attacker to send large amount of encrypted data and cause denial of service through application crashes.
Severity / CVSSv2 | Low / 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 94242 / NVD: CVE-2016-7055 Impact| Information disclosure Description | A flaw in Montgomery multiplication allows a remote attacker to compromise ECDH key negotiation in SSL/TLS connections that use Brainpool P-512 curves. The attacker may be able to obtain information about session keys computed during ECDH key negotiation.
OpenSSL Security Advisory - <https://www.openssl.org/news/secadv/20161110.txt>
2020-04-28 A fix will not be provided for ICSP 5.3. Please upgrade to a later version with the vulnerability fixes. Advisory status changed to Closed.
2019-10-07 Web Isolation is not vulnerable.
2019-01-29 ICSP 5.4 is not vulnerable because a fix is provided in 5.4.1.
2018-09-24 A fix for SSLV 3.8.4FC will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes.
2018-07-27 A fix for MA 4.2 is available in 4.2.12.
2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided.
2018-02-22 A fix for SSLV 3.10 is available in 3.10.4.1.
2018-01-11 Added NVD CVSS v2 scores. Adjusted advisory severity to Medium based on CVSS v2 scores.
2017-11-16 A fix for SSLV 3.9 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2017-11-15 SSLV 3.12 is not vulnerable because a fix is available in 3.12.1.1.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-05-22 UA 4.8 is not vulnerable because a fix is available in 4.8.0.
2017-04-30 A fix for Director 6.1 is available in 6.1.23.1.
2017-04-12 A fix for SSLV 3.11 is available in 3.11.3.1.
2017-03-30 A fix for SSLV 4.0 is available in 4.0.2.1.
2017-03-08 SSLV 4.0 is vulnerable to CVE-2016-7055.
2016-11-30 initial public release