Consolidated list of vulnerabilities that don't pose a risk to the Skyhigh Web Gateway appliance
Technical Articles ID:
KB88086
Last Modified: 2023-07-04 10:26:10 Etc/GMT
Environment
Skyhigh Web Gateway (SWG)
Summary
The following table lists the vulnerabilities (CVEs) that Technical Support has investigated and concluded that they represent no risk to the SWG appliance when installed in a supported configuration.
IMPORTANT: New CVEs will be added to this list after they've been investigated and determined to pose no risk to the appliance. This article also consolidates vulnerabilities from existing articles that have been previously investigated.
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
CVE and Reference |
Description |
Comment |
CVE-2016-5018
CVE-2016-6794
CVE-2016-6796
CVE-2016-6797
CVE-2016-0762
1165759 |
CVE-2016-5018:
A malicious web application can bypass a configured SecurityManager via a Tomcat utility method that's accessible to web applications.
For more information, see this document.
CVE-2016-6794:
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files can be used by a malicious web application to bypass the SecurityManager and read system properties that shouldn't be visible.
CVE-2016-6796:
A malicious web application can bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.
CVE-2016-6797:
The ResourceLinkFactory doesn't limit web application access to global JNDI resources to those resources explicitly linked to the web application. So, it's possible for a web application to access any global JNDI resource, regardless of whether an explicit ResourceLink has been configured or not.
CVE-2016-0762
The Realm implementations don't process the supplied password if the supplied username doesn't exist. As a result, it makes a timing attack possible to determine valid usernames. The default configuration includes the LockOutRealm, which makes exploitation of this vulnerability harder.
For more information about these vulnerabilities, see the Apache Tomcat 7.x vulnerabilities. |
CVE-2016-6797:
SWG doesn't allow or support deployment of third-party Web Applications,
Also, the SWG Manager doesn't use JNDI resources (global or explicit linked).
CVE-2016-5018, CVE-2016-6794, or CVE-2016-6796:
SWG doesn't allow or support deployment of third-party Web Applications, so malicious Web Applications can't exploit these vulnerabilities.
CVE-2016-0762:
The SWG Manager uses Apache Tomcat's Realm implementation. |
CVE-2014-1568
1013040 |
CVE-2014-1568:
Vulnerability in the Mozilla Network Security Services (NSS) crypto library vulnerability.
Mozilla NSS before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120. These versions don't properly parse ASN.1 values in X.509 certificates. As a result, it's easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue.
For more information, see CVE-2014-1568. |
- Most supported versions of SWG don't use NSS; so, they aren't affected by this vulnerability while handling web traffic.
- SWG 7.4.2.3 and later use NSS; but, these NSS versions aren't affected by this vulnerability.
- Some of the system links are pointing to NSS; but, they're not using RSA signature processing.
NOTE: This information was formerly hosted in KB83091.
|
CVE-2015-5477
1083675 |
CVE-2015-5477:
This issue is a BIND vulnerability caused by an error in handling TKEY queries that can cause names to exit with a REQUIRE assertion failure.
For more information, see NVD - CVE-2015-5477. |
SWG uses a BIND version affected by this issue. But, in the SWG implementation, there's no way to exploit the issue because named is running on the loopback interface only. The only clients pointing to named are the local glibc stub resolver and SWG uDNS. There's no way to create a TKEY query using the glibc stub resolver or SWG uDNS by foreign attackers.
SWG will likely import a fixed BIND package in a future version, but there's no urgency because SWG isn't vulnerable.
NOTE: This information was formerly hosted in KB85342. |
CVE-2015-1635 |
CVE-2015-1635:
A Microsoft vulnerability with the http.sys kernel driver used in many of its operating systems. Affected operating systems include Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2. http.sys is the kernel mode driver that handles HTTP requests. The vulnerability can allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. The vulnerability exists when the http.sys component improperly parses specially crafted HTTP requests that include an HTTP "Range" Header with a very large value. Microsoft IIS web servers are one commonly used server software that is known to be vulnerable. But, any software that uses the http.sys kernel driver could be vulnerable.
For more information, see CVE-2015-1635. |
SWG protects your environment out of the box when you implement its default policy.
SWG's Gateway Antimalware rule set includes a rule named Remove Partial Content for HTTP(s) Requests, which removes the Range Header to prevent Partial Downloads.
In addition to protecting end-users from this vulnerability, removing the Range Header also allows SWG to scan the complete HTTP or HTTPS file. In this way, malicious content distributed over several parts of a file can be detected.
If you don't use the default Gateway Antimalware rules, you can add the rule Remove Partial Content for HTTP(s) Requests to your policy to secure all Windows installations. You can either import the default Gateway Antimalware rule set from the rule set library, or use the attached screenshot to create a rule yourself.
NOTE: This information was formerly hosted in KB84520. |
CVE-2015-1793
1078983 |
CVE-2015-1793:
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c doesn't properly process X.509 Basic Constraints cA values during identification of alternative certificate chains. As a result, it allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.
For more information, see this Word document. |
SWG isn't vulnerable to this issue. No supported versions of SWG use the affected OpenSSL version.
NOTE: This information was formerly hosted in KB85206. |
CVE-2016-0800
1124041 |
CVE-2016-0800:
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data. As a result, it makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a DROWN attack.
For more information, see the following documentation:
|
SWG isn't affected by this vulnerability because it doesn't support SSLv2.
NOTE: This information was formerly hosted in KB86748. |
CVE-2015-4000
1067091 |
CVE-2015-4000:
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, doesn't properly convey a DHE_EXPORT choice. As a result, it allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the Logjam issue.
For more information, see CVE-2015-4000. |
SWG isn't vulnerable to this issue.
All versions of SWG use DH keys with a strength of 1024-bit or greater.
NOTE: This information was formerly hosted in KB84890. |
CVE-2015-3197
CVE-2016-0701
1119566 |
CVE-2015-3197:
ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f doesn't prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.
For more information, see CVE-2015-3197.
CVE-2016-0701:
The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f doesn't make sure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange. As a result, it makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chooses an inappropriate number, as shown by a number in an X9.42 file.
For more information, see CVE-2016-0701. |
SWG isn't vulnerable to these issues:
SWG has already set SSL_OP_NO_SSLv2 in all places, so SWG isn't vulnerable to CVE-2015-3197.
SWG uses OpenSSL 1.0.1p-1, which isn't vulnerable to CVE-2016-0701 because the version doesn't support X9.42-based parameters. SWG imports a fixed OpenSSL package in the following versions:
NOTE: This information was formerly hosted in KB86552. |
Solution
NOTE: Any future product functionality or releases mentioned in the Knowledge Base are intended to outline our general product direction and should not be relied on, either as a commitment, or when making a purchasing decision.
|