Security Advisories

February 1, 2012 - Multiple SSL/TLS vulnerabilities in Reporter

Security Advisories ID:    SA68
Version:    3.0
Status:    Published
Published date:    02/01/2012
Updated:    03/13/2012
 

Advisory Status

Final

Advisory Severity

Medium, CVSS v2 base score: 6.8 (AV:A/AC:H/Au:N/C:C/I:C/A:C)

CVE Number

CVE-2011-0014 - CVSS base score:  (AV:A/AC:L/Au:N/C:N/I:N/A:P)
CVE-2010-3864- CVSS base score:  (AV:A/AC:H/Au:N/C:C/I:C/A:C)

Summary

Reporter uses a version of OpenSSL that has several publicly documented vulnerabilities. The most severe vulnerability allows an attacker to gain complete control over a Reporter installation.

Affected Products

All versions of Reporter prior to 9.2.5.1 and 9.3.2.1 are vulnerable.

Details

Reporter 9.3.1.1 and 9.2.4.1 use OpenSSL version 0.9.8o.  Reporter 9.1.5.1 uses OpenSSL version 0.9.8j. Reporter 8.3.7.1 uses OpenSSL version 0.9.8e. Each version of OpenSSL has several publicly documented vulnerabilities.  OpenSSL version 0.9.8e is not vulnerable to CVE-2011-0014, therefore Reporter 8.3.7.1 is not vulnerable.

The most severe vulnerability allows an attacker to gain complete control over a Reporter installation. The attacker can view and modify configuration data as well as data sent to and from Reporter. An attacker can also render Reporter completely unresponsive for administrative control as well as data transmission.

When Reporter is deployed behind a firewall, as is recommended, an attacker must gain access from the internal network in order to mount an attack. The CVSS base scores included in this advisory are based on this deployment scenario.

If Reporter is deployed outside of the firewall. the CVSS base score for all CVEs listed would be higher. The CVSS base score for this security advisory would be a 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C).

Reporter 9.3.2.1 and 9.2.5.1 contain an upgrade to OpenSSL 0.9.8r fixing the CVEs documented in this security advisory.

Workarounds

Blue Coat recommends that Reporter be deployed behind a firewall. Additional constraints on what IP addresses can be used to connect to Reporter will greatly limit the ability to attack a Reporter installation.

Patches

Reporter 9.3 - a fix is available in 9.3.2.1. The fix is available to customers with a valid BlueTouch Online login from https://bto.bluecoat.com/download/product/8793..

Reporter 9.2 - a fix is available in 9.2.5.1. The fix is available to customers with a valid BlueTouch Online login from bto.bluecoat.com/download/product/4997.

Reporter 9.1 - please upgrade to a later version.

Reporter 8.3 - please upgrade to a later version.

References

Information about each CVE can be found at the National Vulnerability Database web site links below:

CVE-2011-0014 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0014

CVE-2010-3864 - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3864

Advisory History

2012-03-13 Reporter 8.3.7.1 is not vulnerable to CVE-2011-0014.

2012-02-08 Changed status to Final

2012-02-01 Initial public release.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question