9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
Blue Coat products that include affected versions of nginx and enable the nginx DNS resolver are susceptible to multiple vulnerabilities. A remote attacker, with access to the management interface, can exploit these vulnerabilities to cause denial of service. In some cases, the attacker may also cause nginx to execute arbitrary code.
The following products are vulnerable:
CVE |Affected Version(s)|Remediation
All CVEs | 5.4 | Not vulnerable, fixed in 5.4.1.
5.3 | Upgrade to later release with fixes.
CVE |Affected Version(s)|Remediation
All CVEs | 5.3 | A fix will not be provided.
CVE |Affected Version(s)|Remediation
All CVEs | 5.3 | A fix will not be provided. Customers who use NSP for USB cleaning can switch to a version of ICSP with fixes.
The following products have a vulnerable version of nginx, but are not vulnerable to known vectors of attack:
CVE |Affected Version(s)|Remediation
All CVEs | 3.11 and later | Not vulnerable, fixed in 3.11.1.1
3.10 | Upgrade to 3.10.2.1.
3.9 | Upgrade to 3.9.7.1.
3.8, 3.8.4FC | Upgrade to later release with fixes.
Blue Coat products do not enable or use all functionality within nginx. The product listed below include a vulnerable version of nginx, but do not enable the DNS resolver, and are not known to be vulnerable to the CVEs in this Security Advisory. However, fixes for those CVEs will be included in the patches that are provided.
The following products are not vulnerable:
Advanced Secure Gateway
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Content Analysis System
Director
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Threat Defense
Malware Analysis Appliance
Management Center
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics
Unified Agent
Web Isolation
X-Series XOS
Blue Coat no longer provides vulnerability information for the following products:
DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 82230 / NVD: CVE-2016-0742 Impact| Denial of service Description | A flaw in the nginx DNS resolver allows a remote attacker to send crafted DNS responses to nginx and cause it to perform an out of bounds read or dereference an invalid pointer. This can cause nginx to crash, resulting in denial of service.
Severity / CVSSv2 | Medium / 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 82230 / NVD: CVE-2016-0746 Impact| Denial of service, code execution Description | A use-after-free flaw in the nginx DNS resolver allows a remote attacker, who can trigger DNS resolution on the target, to send crafted DNS responses to nginx. This attack can cause an nginx worker process to crash or execute arbitrary code.
Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 82230 / NVD: CVE-2016-0747 Impact| Denial of service Description | A flaw in the nginx DNS resolver allows a remote attacker, who can trigger DNS resolution on the target, to send crafted DNS responses to nginx. This attack can cause an nginx worker processes to consume excessive resources, resulting in denial of service.
REFERENCES
nginx security advisory - <https://mailman.nginx.org/pipermail/nginx-announce/2016/000169.html?_ga=1.39922274.1787485893.1455026502>
2020-04-21 A fix will not be provided for Industrical Control System Protection (ICSP) 5.3. Please upgrade to a later version with the vulnerability fixes. Advisory status changed to Closed.
2019-10-02 Web Isolation is not vulnerable.
2018-09-21 ICSP 5.4 is not vulnerable because a fix is available in 5.4.1.
2018-08-03 Customers who use NSP for USB cleaning can switch to a version of Industrial Control System Protection (ICSP) with fixes.
2018-06-29 A fix for Norman Shark Network Protection (NNP) 5.3 and Norman Shark SCADA Protection (NSP) 5.3 will not be provided.
2017-08-02 SSLV 4.1 is not vulnerable.
2017-03-16 PacketShaper S-Series is not vulnerable.
2017-03-16 A fix for SSLV 3.10 is available in 3.10.2.1.
2017-03-06 SSLV 4.0 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2017-01-13 A fix for SSLV 3.9 is available in 3.9.7.1.
2016-12-04 A fix is available in SSLV 3.11.1.1.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 has a vulnerable version of nginx, but is not vulnerable to known vectors of attack. A fix is not available at this time.
2016-06-11 PolicyCenter S-Series is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-25 Mail Threat Defense is not vulnerable.
2016-03-11 initial public release
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P