Common Vulnerabilities and Exposures (CVEs) applicable to Symantec Encryption Management Server and Symantec Endpoint Encryption

book

Article ID: 157729

calendar_today

Updated On:

Products

Encryption Management Server

Issue/Introduction

 

This article is designed to provide Administrators of Symantec Encryption Management Server with a listing of reported CVEs that Symantec Enterprise Division Development has reviewed and resolved in the current release of the Encryption Management Server.  This list may not contain all the CVEs that have been reported, this list contains only those CVEs that have been reviewed by Symantec Enterprise Division Development and resolved, or that are known with reasonable workarounds.

Where Symantec Enterprise Division Development does not list the CVEs as a fixed package, but the CVE has been reviewed, an explanation is given on what the status of the CVE may be as it applies to the Encryption Management Server.

Vulnerability scanners typically scan for specific package versions and are not usually attempting to exploit any actual vulnerability.  the Encryption Management Server uses customized packages and is a customized Linux operating system itself based on CentOS.

The Encryption Management Server may still come up in those scans due to the fact that server is a customized Linux operating system, and the packages may not correspond with what the Vulnerability Scanners are finding.  This does not mean the server is still susceptible to the CVE listed, but that we package the fixes differently.  In fact, Symantec Enterprise Division Development documents all the CVEs listed in these packages that are fixed in the CVEs.

 

Resolution

It is possible to do an output of all the CVEs that have been included in a specific version of Symantec Encryption Management Server.  To do so, SSH access to the Encryption Management Server is required.  To output all the CVEs that have been resolved, run the following command:

 

rpm -qa --changelog | grep CVE | sort > CVE-List.txt

TIP: For convenience, a full dump of the Red Hat Kernel Changelog has been attached to this article, however, this same information is available on any version of SEMS needed.  Check the Download Files section of the article on the top-right hand corner of the screen to download these files.

Once this command has been run, it will build a list of all the CVEs that have been addressed in the packages specified.  It is then possible to grep for the CVE specifically.

 

In this example, CVE-2007-2953 will be searched by running the following command:

 

grep -i CVE-2007-2953 CVE-List.txt

 

If the CVE was included in a version of Symantec Encryption Management Server, the results will be displayed as is the case in the following example:

 

[[email protected] ~]# grep -i CVE-2007-2953 CVE-List.txt
- add fixes for CVE-2007-2953 and CVE-2008-2712
- add fixes for CVE-2007-2953 and CVE-2008-2712
- add fixes for CVE-2007-2953 and CVE-2008-2712

 

This output indicates the fix was included in one of the packages.  Not all information is provided in the return, but simply that the fix was included as a fix.

If the CVE does not show up in the list, please see below for other information related to the CVE.

CVEs not on the list above as having a package fixing the issue, but have shown up in Vulnerability scans are listed below with more information:

PGP Key Generation:
All keys generated by Symantec Encryption products are generated using the unmodified output of a NIST SP800-90A approved DRBG.
 

Description: Symantec Encryption Management Server and Diffie-Hellman Primes
Some Vulnerability scanners may flag Symantec Encryption Management Server as using DH Primes (aka Groups).
Conclusion: If some scanners flag Symantec Encryption Management Server as using DH Primes, this does not mean it is vulnerable to attack.  As stated on the researcher's site, "If you have a web or mail server, you should disable support for export cipher suites and use a 2048-bit Diffie-Hellman group."
Symantec Encryption Management Server already uses a safe Diffie-Hellman Prime with 2048-bits.  Specifically, Symantec Encryption Management Server uses a Prime of 14 (Group 14), which the researcher has stated is safe.  As a result, these scanners are displaying false positives.
Etrack: 4181957
Additional References:
https://weakdh.org/


Security Scans show HTTP Security Header Not Detected for Symantec Encryption Management Server
CVE: n/a
Headers mentioned in the Security Scan:
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Conclusion:
These HTTP Security Headers apply to browsers and instruct the browser to behave securely.  Not having these headers does not introduce any vulnerability on the server.  Following browser security best practices and by using security products such as Symantec Endpoint Protection can help protect browsers from attack.
 
The Following are the headers typically included in security scans, the status of each, and how it relates to SEMS:
X-Frame-Options
X-XSS-Protection
Status:
SEMS already supports these headers.  Scans citing these headers as missing are false positives and do not actually attempt to exploit any attack mentioned in the scan.

X-Content-Type-Options
Status:
SEMS does not support the header “X-Content-Type-Options: nosniff” as it can cause issues with some browsers. However, Symantec continues to investigate the possibility of including this header in a future release of SEMS.

Content-Security-Policy
Strict-Transport-Security (HSTS HTTP Strict Transport Security)
Status:
These headers help the browser know that HTTPS should be used with a given application.  SEMS 3.4.2 MP1 and older already explicitly force HTTPS for all applicable applications through an alternate, browser-independent method on the server.  
SEMS 3.4.2 MP2 now uses "content-security-policy" and "string-transport-security".  To avoid this showing up on your scans, update to SEMS 3.4.2 MP2.

Cache-Control
Status: Scans will erroneously state Symantec Encryption Management Server uses no-cache improperly.  SEMS does use the Cache-Control HTTP header when sending confidential information.
 

Cookie Set Without HTTPOnly Attribute
Description: Vulnerability scanners may report Symantec Encryption Management Server uses cookies without the HTTPOnly attribute set during authentication operations, an attribute setting which may help prevent session hijacking and XSS attacks.
Conclusion: Setting the HTTPOnly attribute for cookies is recommended, *unless* the application needs to access the cookie through a script.  Symantec Encryption Management server has a need to access the cookie in this way, and as a result, must not be set.  All necessary precautions are taken in how cookies are used to prevent against actual XSS attacks on the server.
Etracks: 3675669, 4163931
Additional References:
https://www.owasp.org/index.php/HttpOnly


*DNS cache poisoning/DNS Redirection
*Host Header Redirection/URL Redirection
*Host Header injection/manipulation

Description: Vulnerability scans may report Symantec Encryption Management Server as prone to the above manipulations.  If these manipulations happen, the SEMS potentially could redirect credentials, DNS lookups to external sources, URLs, or other items.  These reports host header methods that may be in place and allow such activities, such as TRACE methods, OPTIONS methods, or otherwise.
Conclusion: Symantec Encryption Management Server uses some options mentioned above; however, all of these types of attacks deal with client exploits, rather than server weaknesses.  This means the attacker would need to take control over the client machine/browser to be able to attempt these attacks.  If a client is compromised, much more serious attacks could be carried out which a server-side setting would not prevent.

As a result, making these changes does not add more security for the end user, because these attacks rely on the client being exploited first.  To fully mitigate these attacks, it is necessary to run endpoint security software, such as Symantec Endpoint Protection, which would protect against clients being compromised. 
Etracks: 3838822, 3984326, 3949226, 4201304, 4202454
Additional References:
https://cwe.mitre.org/data/definitions/406.html
https://cwe.mitre.org/data/definitions/918.html

Are Symantec Encryption Products affected by Meltdown/Spectre (CVE-2017-5753,  CVE-2017-5715, and CVE-2017-5754)?
For more information on Meltdown and Spectre, see article Meltdown and Spectre: Are Encryption Products Affected?.


Symantec Encryption Management Sever 3.3/3.4 (SEMS)/Symantec Endpoint Encryption Management Server 11 (SEEMS) and Apache Struts
CVE example:
CVE-2018- 11776
Neither Symantec Encryption Management Server nor Symantec Endpoint Encryption Management Server and the managed clients (Symantec Encryption Desktop/Symantec Endpoint Encryption) use Apache Struts and would be a false positive.  No security reports affected by Apache Struts affects SEMS or SEEMS as this is not being used on either of these servers.

Symantec Decomposer Engine Vulnerability Report SYM16-010
The Symantec Encryption product family is not affected by this report.
See the Symantec Security Advisories page for more information on this report.
For Frequently Asked Questions on this topic, see article INFO3807.
For specific questions on which products are affected, see ALERT2047.


LDAP Anonymous Directory Access Permitted to Symantec Encryption Management Server
Description: This sometimes comes up in certain vulnerability scans stating too much access is provided anonymously.  This is the intended behavior and is working this way to be able to provide keys for secure data exchange.  Encryption Management Server is used as a keyserver and as such, makes keys available for searches based on anonymous bind. 
No other information, and no other parts of the server containing user information is made available except those keys, which are intended to be found and is secure.  This applies to all versions of Symantec Encryption Management Server.


LDAP NULL BASE for Symantec Encryption Management Server keyserver service
Some vulnerability scanners may flag Symantec Encryption Management server as having an “LDAP NULL BASE”.  LDAP NULL BASE is provided to search for public keys on Symantec Encryption Management Server without the need to enter specific information on the keyserver for a successful return of public keys.  This does not, however, provide any further access to the server other than finding public keys.  Many LDAP servers require authentication and may feature non-public information.  The public keyserver on Symantec Encryption Management Server is an LDAP service that requires no authentication and contains only public information so there is no concern in allowing a null base.


Some Scanners report weak ciphers enabled on Symantec Encryption Management Server for SSH
CVE: n/a

Conclusion: Although some scanners flag Symantec Encryption Management Server for weak algorithms on SSH, these alerts are false positives.  Symantec Encryption Management Server already includes the vendor’s fix that detects and negates attacks against weak ciphers.
Update Jan 30, 2019: Although SEMS did not use weak ciphers by default, SEMS 3.4.2 MP2 updated the list of ciphers and will prevent these from being displayed in security scans.
Etrack: 4001689

Description: Some scanners report weak ciphers being enabled on Symantec Encryption Management Server for TLS
CVE: n/a
Conclusion: By default, Symantec Encryption Management Server is explicitly configured to use strong encryption ciphers for TLS, but may fall back to legacy ciphers if a client refuses to use stronger ciphers.
Update Jan 30, 2019: Although SEMS did not use weak ciphers by default, SEMS 3.4.2 MP2 updated the list of ciphers and will prevent these from being displayed in security scans.
Etrack:4001685

Is SEMS 3.4.1 RFC 5961 compliant?
CVE: n/a
Etrack: 4061079
Conclusion: As per the RHEL Kernel Changelog, SEMS 3.4.1 is fully RFC 5961 compliant.  See attached changelog for more details including resolved CVE-2016-5696 related to this report.
kernel 2.6.32-642.6.1.el6
- [net] tcp: make challenge acks less predictable (Florian Westphal) [1355606
1355607] {CVE-2016-5696}
kernel 2.6.32-564.el6 change log
- [net] conntrack: RFC5961 challenge ACK confuse conntrack LAST-ACK transition
(Jesper Brouer) [1200541 1212801]
- [net] tcp: Restore RFC5961-compliant behavior for SYN packets (Jesper Brouer)
[1200541 1212801]
kernel 2.6.32-364.el6 change log
- [net] tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation (Weiping Pan)

[843126]
- [net] tcp: refine SYN handling in tcp_validate_incoming (Weiping Pan) [843126]
- [net] tcp: implement RFC 5961 4.2 (Weiping Pan) [843126]
- [net] tcp: implement RFC 5961 3.2 (Weiping Pan) [843126]

Is Symantec Encryption Management Server vulnerable to the CWE-203, AKA ROBOT Attack?
Symantec Engineering and Security teams have reviewed this report and have found the SEMS to not be vulnerable. 
Etrack: 4148363
Additional References:
http://www.kb.cert.org/vuls/id/144389
https://robotattack.org/

CVE-1999-0472
Description:
The SNMP default community name "public" is not properly removed in NetApps C630 Netcache, even if the administrator tries to disable it.
Conclusion: SNMP is disabled by default on Symantec Encryption Management Server and when Symantec Encryption Management Server Administrators enables SNMP, it defaults to the public community string.  Nothing in the data provided via SNMP can be used to gain access to the system.
Etrack: 3190697
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0472
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0472

 

CVE-2002-1378
Description:
Multiple buffer overflows in OpenLDAP2 (OpenLDAP 2) 2.2.0 and earlier allow remote attackers to execute arbitrary code
Conclusion: This has to do with openldap version 2.2.0 and earlier.  Symantec Encryption Management Server uses "openldap-2.3.43-12" and the reason this shows up in scanners is these bundles are customized with a PGP package, causing the scanners to not pick up what is expected.
To check the version via SSH (Read-only), run: rpm -qa |grep openldap
This will provide the current version Symantec Encryption Management Server uses.
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1378
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1378

 

CVE-2002-1379 
Description:
OpenLDAP2 (OpenLDAP 2) 2.2.0 and earlier allows remote or local attackers to execute arbitrary code when libldap reads the .ldaprc file within applications
Conclusion: This has to do with openldap version 2.2.0 and earlier.  Symantec Encryption Management Server uses "openldap-2.3.43-12" and the reason this shows up in scanners is these bundles are customized with a PGP package, causing the scanners to not pick up what is expected.
To check the version via SSH (Read-only), run: rpm -qa |grep openldap
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1379   
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1379

 

CVE-2003-1418
Description:
Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive information via (1) the ETag header
Conclusion: Although Symantec Encryption Management Server uses a different version than reported here, this was found to be an issue and has been fixed in Symantec Encryption Management Server 3.3.0 MP3 (Build 9307) and above.
Etrack: 3113829, 2472470, 2473521
Additional References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1418

 

CVE-2004-0230
Description:
TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service
Conclusion: In order to perform a connection reset an attacker would need to know the source and destination ip address and ports as well as being able to guess the sequence number within the window, which is generally short-lived.  These requirements greatly reduce the ability to trigger this connection RST.  The major BGP peers have recently switched to requiring md5 signatures which mitigates against this attack.
Given the requirements for this, the issue does not pose a serious threat to Symantec Encryption Management Server.  Additionally, Red Had does not have any plans for action on this issue.
Etrack: 3231917, 3228403
Additional References:
http://lwn.net/Articles/81560/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0230
http://www.us-cert.gov/cas/techalerts/TA04-111A.html


CVE-2004-0790
Description: Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack."
Conclusion: This issue was fixed in Red Hat/Fedora Core since Linux kernel 2.6.9.  Symantec Encryption Management Server uses kernel version 2.6.18-371.1.2.el5PAE and is not affected by this report.
Etrack: 3805312
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2004-0790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0790
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0790


CVE-2004-0791
Description: Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets,
Conclusion: This issue was fixed in Red Hat/Fedora Core since Linux kernel 2.6.9.  Symantec Encryption Management Server uses kernel version 2.6.18-371.1.2.el5PAE and is not affected by this report.
Etrack: 3805312
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2004-0791 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0791
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0791


CVE-2004-1060
Description: Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP
Conclusion: This issue was fixed in Red Hat/Fedora Core since Linux kernel 2.6.9.  Symantec Encryption Management Server uses kernel version 2.6.18-371.1.2.el5PAE and is not affected by this report.
Etrack: 3805312
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2004-1060
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1060
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1060


CVE-2006-4110
Description:
Apache 2.2.2, when running on Windows, allows remote attackers to read source code of CGI programs via a request that contains uppercase (or alternate case) characters
Conclusion: This has to do with apache 2.2.2 on Windows.  Symantec Encryption Management Server uses httpd-2.2.17-3.5 on Linux so this issue does not apply to Symantec Encryption Management Server .  
To find this out on a Symantec Encryption Management Server, run:
rpm -qa |grep httpd
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4110
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4110

 

CVE-2006-4145
Description:
The Universal Disk Format (UDF) filesystem driver in Linux kernel 2.6.17 and earlier allows local users to cause a denial of service (hang and crash) via certain operations involving truncated files, as demonstrated via the dd command.
Conclusion: CVEs note this is already fixed in 2.6.18 and didn't affect Red Hat Enterprise Linux 5.  Symantec Encryption Management Server has 2.6.18, so it was not vulnerable.  Run 'uname -r' to confirm the kernel version on Symantec Encryption Management Server via SSH.  Furthermore, it states in the changelog since at least 3.3.0 this is fixed.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2006-4145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4145
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4145

 

CVE-2007-1741
Description:
Multiple race conditions in suexec in Apache HTTP Server (httpd) 2.2.3 between directory and file validation.
Conclusion: This does not affect Symantec Encryption Management Server as it requires local user access, which is not granted by the Symantec Encryption Management Server hardened OS. 
Etrack: 2941502
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1741
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1741

 

CVE-2007-1742
Description:
suexec in Apache HTTP Server (httpd) 2.2.3 uses a partial comparison for verifying whether the current directory is within the document root, which might allow local users to perform unauthorized operations on incorrect directories, as demonstrated using "html_backup" and "htmleditor" under an "html" directory. NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because "the attacks described rely on an insecure server configuration" in which the user "has write access to the document root."
Conclusion: Symantec Encryption Management Server does not configure local users by default, and must be configured manually by a Super User Administrator in order to have access.  No external access to the operating system is provided to users in this way.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-1742
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1742
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1742

 

CVE-2007-1743
Description:
Suexec in Apache HTTP Server (httpd) 2.2.3 does not verify combinations of user and group IDs on the command line
Conclusion: Similar to CVE-2007-1741, Symantec Encryption Management Server is not affected by this as it requires local user access, which is not granted by Symantec Encryption Management Server.
Etrack: 2941502
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1743
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1743

 

CVE-2007-6203
Description:
Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message
Conclusion: Symantec Encryption Management Server is not affected by this as this attack relies on victims to supply an arbitrary malformed HTTP method to the target site.  This is not possible on Symantec Encryption Management Server.  Previous packages have been improved and does not allow this to be exploited.
Etrack: 2941502
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6203
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6203
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6203

 

CVE-2007-6388
Description:
Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39
Conclusion: Symantec Encryption Management Server is not susceptible to this vulnerability and has been patched since version 3.0.  This has been resolved in httpd-2.2.3-11.el5_1.3.i386.rpm and mod_ssl-2.2.3-11.el5_1.3.i386.rpm.
Symantec Encryption Management Server 3.3.0 runs httpd-2.2.17-3.5pgp and contains the fix for this.
Etrack: 2472471
Additional References:
https://rhn.redhat.com/errata/RHSA-2008-0008.html#Red
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6388

 

CVE-2007-6420
Description:
Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x
Conclusion: Red Hat does not plan on correcting this issue as it poses a very low security risk.  The balancer manager is not enabled by default and the user targeted by the CSRF would need to be authenticated.  The consequences of an exploit would be limited to a web server denial of service.
Etrack: 2941502
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6420

 

CVE-2007-6750
Description:
The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests.
Conclusion: This has been resolved in 3.3.1 MP1 (Build 13266) and above.   If updating to this version is not possible, contact support for a workaround that can be applied via SSH.  Reference this article when contacting support.
Etrack: 3310403
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6750
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6750

 

CVE-2008-0005
Description:
Od_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset
Conclusion: Symantec Encryption Management Server is not susceptible to this vulnerability and has been patched since version 3.0.
This has been resolved in httpd-2.2.3-11.el5_1.3.i386.rpm and mod_ssl-2.2.3-11.el5_1.3.i386.rpm (Red Hat Enterprise Linux v. 5 server)
Symantec Encryption Management Server 3.3.0 runs httpd-2.2.17-3.5pgp and contains the fix for this.
Etrack: 2472471
Additional References:
https://rhn.redhat.com/errata/RHSA-2008-0008.html#Red
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-0005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0005

 

CVE-2008-2168
Description:
Cross-site scripting (XSS) vulnerability Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page.
Conclusion: It appears Apache 2.2.6 is vulnerable, however Symantec Encryption Management Server 3.3.2 uses httpd version 2.2.17 and apache tomcat 7.0.27.  These don't appear to be affected according to the description.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2168
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2168

 

CVE-2008-2364
Description:
The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses
Conclusion: Symantec Encryption Management Server is not susceptible to this vulnerability and has been patched since version 3.0.  This issue has been resolved in httpd-2.2.3-11.el5_2.4.i386.rpm and mod_ssl-2.2.3-11.el5_2.4.i386.rpm.
Symantec Encryption Management Server 3.3.0 runs httpd-2.2.17-3.5pgp and contains the fix for this.
Etrack: 2472473
Additional References:
https://rhn.redhat.com/errata/RHSA-2008-0967.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2364

 

CVE-2009-1191
Description:
Mod_proxy_ajp in Apache httpd 2.2.11 allows remote attackers to obtain sensitive information via an arbitrary request from a HTTP client, in opportunistic circumstances involving a request from a different client that included a Content-Length header but no POST data.
Conclusion: Symantec Encryption Management Server uses httpd version 2.2.17 and apache tomcat 7.0.27, so it is not affected by this CVE.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1191
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1191

 

CVE-2009-3720
Description:
The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.
Conclusion:  This has been addressed since Symantec Encryption Management Server 3.3.0.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3720

 

CVE-2009-5138
Description: GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag is not enabled
Conclusion: Symantec Encryption Management Server does not use GnuTLS for any of its secure transactions.  OpenSSL is used instead and is not vulnerable to this report.  Furthermore, starting with Symantec Encryption Management Server 3.3.2 MP3, GnuTLS is no longer included as a package.
Etrack: 3453811
Additional References:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-5138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5138
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-5138

 

CVE-2010-0425
Description:
Modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7, when running on Windows
Conclusion: Only Applies to Windows.  Symantec Encryption Management Server runs on Linux using CentOS.
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0425
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0425

 

CVE-2010-5298
Description:
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded
environment.
Conclusion: Does not apply to the version of openssl included with Symantec Encryption Management Server and is therefore, not vulnerable.  Symantec Encryption Management Server 3.3.2 MP1 and previous use version 0.9.8e-26-el5_9.1.  For Symantec Encryption Management Server 3.3.2 MP2 and above, OpenSSL 0.9.8e-27.el_10.3.
Etrack: 3544560
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-5298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298
https://access.redhat.com/security/cve/CVE-2010-5298

 

CVE-2011-1958
Description:
Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows user-assisted remote attackers to cause a denial of service
Wireshark (64bit): NULL pointer dereference by processing of a corrupted Diameter dictionary file
Affects Wireshark packages shipped with RHEL 5.  CVE site states Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 is affected.

Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4 so none of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1958
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1958


CVE-2011-0411
Description: postfix: SMTP commands injection during plaintext to TLS session switch
Conclusion: This was fixed in SEMS 3.3.1 and documented in the changelog.
Etrack: 2476393
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0411
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0411
 
 
CVE-2011-1430
Description: The STARTTLS implementation in the server in Ipswitch IMail 11.03 and earlier does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Conclusion: SEMS does not use IPswitch for any STARTTLS session and as a result, this report does not apply to SEMS.
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1430
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1430
 
CVE-2011-1431
Description: The STARTTLS implementation in qmail-smtpd.c in qmail-smtpd in the netqmail-1.06-tls patch for netqmail 1.06 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Conclusion: SEMS does not use qmail-smtpd for any STARTTLS session and as a result, this report does not apply to SEMS.
Etrack: n/a
Additional References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1431
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1431
 
CVE-2011-1432
Description: The STARTTLS implementation in SCO SCOoffice Server does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Conclusion: SEMS does not use SCOoffice for any STARTTLS session and as a result, this report does not apply to SEMS.
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1432
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1432
 
CVE-2011-1506
Description: The STARTTLS implementation in Kerio Connect 7.1.4 build 2985 and MailServer 6.x does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. NOTE: some of these details are obtained from third party information.
Conclusion: SEMS does not use Kerio for any STARTTLS session and as a result, this report does not apply to SEMS.
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1506
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1506

CVE-2011-1959
Description:
The snoop_read function in wiretap/snoop.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 does not properly handle certain virtualizable buffers
Wireshark: Stack-based buffer over-read from tvbuff buffer when reading snoop capture files
The snoop_read function in wiretap/snoop.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 does not properly handle certain virtualizable buffers. Affects Wireshark packages shipped with RHEL 5.  CVE states Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 is affected.
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1959
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1959

CVE-2011-2165
Description: The STARTTLS implementation in WatchGuard XCS 9.0 and 9.1 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Conclusion: SEMS does not use WatchGuard for any STARTTLS session and as a result, this report does not apply to SEMS.
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2165
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2165

CVE-2011-2175
Description:
Integer underflow in the visual_read function in wiretap/visual.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7
Wireshark: Heap-based buffer over-read in Visual Networks dissector Integer underflow in the visual_read function in wiretap/visual.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (application crash) via a malformed Visual Networks file that triggers a heap-based buffer over-read.  Affects Wireshark packages shipped with RHEL 5.  CVE site states Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 is affected.
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2175
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2175
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2175

 

CVE-2011-2698
Description:
Wireshark Infinite loop in the ANSI A Interface (IS-634/IOS) dissector.  Affects Wireshark packages shipped with RHEL 5.  CVE site states Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 is affected. 
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2698
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2698
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2698


CVE-2011-3389
Description:
HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
Conclusion: Symantec Encryption Management Server 3.4 uses TLS 1.2 and is not affected by this report.  Furthermore, if updating to Symantec Encryption Management Server 3.4 is not immediately possible, Symantec Encryption Management Server does not use any external content by default, so these attacks are not feasible against users connecting to the Symantec Encryption Management Server.  These attacks require an attacker to know the exact bytes and location of those bytes *before* the client sends them to the server.  Due to the Symantec Encryption Management Server architecture, there is no possibility of putting a client in a compromising position unless introduced by custom content.  Customers should take extra precaution when customizing UI or templates to ensure external JavaScript is not used.  Although audits detect these false positives for BEAST, CRIME, and POODLE, exploiting these vulnerabilities on the server is not possible by default
Etrack: 3049666
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389


CVE-2011-4102
Description:
Wireshark: buffer overflow in the ERF file reader.  A buffer overflow flaw was found in the way that Wireshark 1.4.0 through 1.4.9 and 1.6.0 through 1.6.2 handled reading ERF files.  Affects Wireshark packages shipped with RHEL 5.  CVE site states Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 is affected. 
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4102
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4102

 

CVE-2011-4317
Description:
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches
Conclusion: Not affected as per analysis by Red Hat.  See reference https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4317
Etrack: 2941502
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4317

 

CVE-2011-4415
Description:
The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service.
Conclusion: This requires local (command line) access to  Symantec Encryption Management Server  in order to run this, which is not allowed by Symantec Encryption Management Server by default and is actually locked down.  There are no methods reported to be able to exploit this w/out having local access to the server.  In order to exploit this, "the attacker needs to be able to place a crafted .htaccess file on the server", something Symantec Encryption Management Server does not allow to anyone, unless local access to the server is obtained, which is configured only via the Symantec Encryption Management Server Superuser Admin account.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4415
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4415

 

CVE-2011-4577
Description:
openssl: malformed RFC 3779 data can cause assertion failures
Conclusion: The file used for packaging openssl doesn't use 'enable-rfc3779' parameter for configuration and is therefore not vulnerable to this exploit.
Etrack: 3229635
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4577
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4577

 

CVE-2012-0027
Description:
Openssl: invalid GOST parameters DoS attack
Conclusion: Symantec Encryption Management Server does not use GOST parameters, and is therefore not vulnerable to this.
To confirm on Symantec Encryption Management Server, run the following via SSH access:
openssl engine gost -t -c -vvvv
The end result should complain the GOST engine is not available.
Etrack: 3229635
Additional References:
http://www.openssl.org/news/secadv_20120104.txt
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0027
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0027
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0027

 

CVE-2012-0041
Description:

Wireshark: multiple file parser vulnerabilities (wnpa-sec-2012-01)
The dissect_packet function in epan/packet.c in Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service (application crash) via a long packet in a capture file, as demonstrated by an airopeek file.
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0041
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0041

 

CVE-2012-0042
Description:
Wireshark: NULL pointer vulnerabilities (wnpa-sec-2012-02)
Conclusion: Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 does not properly perform certain string conversions.
Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0042
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0042
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0042

 

CVE-2012-0066
Description:
Wireshark: Dos via large buffer allocation request. Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service (application crash) via a long packet.
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0066
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0066

 

CVE-2012-0067
Description:
Wireshark: Dos due to integer overflow in IPTrace capture format parser wiretap/iptrace.c in Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service.
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0067
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0067

 

CVE-2012-0883
Description:
Red Hat Enterprise Linux and Fedora httpd packages are unaffected due to the httpd-*-apctl.patch being applied which removes support for reading in the envvars file, where this flaw originates.
Conclusion: Symantec Encryption Management Server is not affected by this as it requires local user access, which is not granted by Symantec Encryption Management Server.
Etrack: 2941502
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0883

 

CVE-2012-2141
Description:
Net-snmp: Array index error, leading to out-of heap-based buffer read (snmpd crash).
Array index error in the handle_nsExtendOutput2Table function in agent/mibgroup/agent/extend.c in Net-SNMP 5.7.1 allows remote authenticated users to cause a denial of service (out-of-bounds read and snmpd crash) via an SNMP GET request for an entry not in the extension table.
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses net-snmp-5.3.2.2-17.1pgp so it is not vulnerable against this report.
Etrack: 3200333
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2141
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2141
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2141

 

CVE-2012-2131
Description:
openssl: incomplete fix of CVE-2012-2110 for 0.9.x
As per Redhat:

"As there were no Red Hat Enterprise Linux or Fedora updates released with an incomplete fix, they are not affected by this CVE.
Statement: Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, 5 and 6, as there were no updates released with an incomplete CVE-2012-2110 fix."
Conclusion: Symantec Encryption Management Server runs CentOS 5, and is therefore unaffected by this.
Etrack: 3229635
Additional Resources:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2131
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2131

 

CVE-2012-2687
Description:
Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.

Conclusion: The actual Apache httpd version in Symantec Encryption Management Server 3.3.0.9060 (MP1) is 2.2.3-65.  Only Apache httpd 2.2.17 through 2.2.21 are vulnerable.  Although Symantec Encryption Management Server is not vulnerable due to it not using the affected version of Apache httpd, Symantec Encryption Management Server does not load mod_negotiation either, so it is not vulnerable to this CVE for these two reasons.
Etrack: 3212905
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2687

 

CVE-2012-3417
Description:
Quota: incorrect use of tcp_wrappers
The good_client function in rquotad (rquota_svc.c) in Linux DiskQuota (aka quota) before 3.17 invokes the hosts_ctl function the first time without a host name, which might allow remote attackers to bypass TCP Wrappers rules in hosts.deny.
Conclusion: Symantec Encryption Management Server is not vulnerable to this as there are no rules in hosts file.  Symantec Encryption Management Server does not run inetd or Quota services.  Symantec Encryption Management Server also blocks all inbound traffic and filter access to services in such a way that they cannot be accessed if they were being applicable.
Etrack: 3190743
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3417
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3417

 

CVE-2012-3499
Description: 
Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules.

Conclusion: The Vulnerability Scanners report this particular CVE properly.  The actual version Symantec Encryption Management Server 3.3.0 uses is 2.2.3-65.  The affected modules are as follows:

mod_imagemap

mod_info

mod_ldap

mod_proxy_ftp

mod_status modules

Of the modules specified in this CVE, the only module Symantec Encryption Management Server uses is the mod_status module.  While Symantec Encryption Management Server only uses mod_status as a loaded module, Symantec Encryption Management Server does not allow any information to be returned, or malicious injection as the CVE states.  Running the following provides confirmation that this is indeed, not affecting Symantec Encryption Management Server:

1) Try to access http://<url>/server-status from other machine.
2) Try to use ‘wget http://localhost/server-status’ directly on the server itself.

When running ‘wget http://localhost/server-status” directly on the server itself, the result is a failed connection.

Any issues reported with mod_status have also been patched since 3.3.0 MP3 (Build 9307) and above.
Etrack: 3142514
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3499
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3499

 

CVE-2012-4285
Description:
Wireshark: crash due to zero division in DCP ETSI dissector (wnpa-sec-2012-13).
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4285
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4285

 

CVE-2012-4290
Description:
Wireshark DoS via excessive CPU consumption in CTDB dissector (wnpa-sec-2012-23).  The CTDB dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service.
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4290
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4290
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4290

 

CVE-2012-4291
Description:
Wireshark: DoS via excessive system resource consumption in CIP dissector (wnpa-sec-2012-20)
The CIP dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4291
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4291
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4291

 


CVE-2012-4558
Description:
Httpd: XSS flaw in mod_proxy_balancer manager interface
Conclusion: The actual Apache httpd version in Symantec Encryption Management Server 3.3.0.9060 (MP1) is 2.2.3-65.  Only Apache httpd 2.2.17 through 2.2.21 are vulnerable.  Although Symantec Encryption Management Server is not vulnerable due to it not using the affected version of Apache httpd, Symantec Encryption Management Server does not load mod_balancer either, so it is not vulnerable to this CVE for these two reasons.
Etrack: 3212905
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4558
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4558

 

CVE-2012-4929
Description:
SSL/TLS CRIME attack against HTTPS
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data.
Conclusion: This issue is resolved in Symantec Encryption Management Server 3.3.1.13100 and above.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929


See KB TECH199034 for specific details on CRIME and Symantec Encryption Management Server.

 

CVE-2012-5568
Description:
tomcat: Slowloris denial of service.
Conclusion: This has been resolved in 3.3.1 MP1 (Build 13266) and above.   If updating to this version is not possible, contact support for a workaround that can be applied via SSH.  Reference this article when contacting support.
Etrack: 3299196, 3310403
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5568

 

CVE-2012-5669
Description:
Freetype: heap buffer over-read in BDF parsing _bdf_parse_glyphs() (#37906).
The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash)
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses freetype-2.2.1-28.el5_7.2, however Symantec Encryption Management Server does not allow users to upload font files so it is not affected by this vulnerability.
Etrack: 3190748
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5669
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5669

 

CVE-2013-1619
Description:
Gnutls: TLS CBC padding timing attack (lucky-13)
Conclusion: This issue has been resolved in 3.3.1 GA (Build 13100) and above.  Starting with Symantec Encryption Management Server 3.3.2 MP3, GnuTLS is no longer included as a package.
Etrack: 3190753
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1619
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1619
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1619

 

CVE-2013-1896
Description:
Mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI.
Conclusion: This issue does not apply to Symantec Encryption Management Server as the server does not use mod_dav modules, which is required to be affected by this issue.
Etrack: 3275148
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1896
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1896

CVE-2013-2071
Description: tomcat: Information disclosure in asynchronous context when using AsyncListeners that threw RuntimeExceptions
Conclusion: SEMS 3.3.2 MP13 and above use updated versions and are not affected by this report.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2071
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2071
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2071


CVE-2013-2187
Description: Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.
Conclusion: This report is for Apache Archiva, how did this get flagged exactly, as it doesn't seem like this applies to us?  The Redhat source doesn't exist, so that further validates this should not apply to us.
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2187
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2187


CVE-2013-2566
Description: The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks.
Conclusion: This is a known concern that is currently under review by Symantec Development for final resolution. 
RC4 as it exists on Symantec Encryption Management Server is not easily exploited.  An attacker must record and analyze 1 billion connections to find one weak key (one chance per billion connections) and then it starts over.

BEAST, CRIME, and POODLE, require the browser to run the attacker's JavaScript so that the attacker knows what the content is before it gets encrypted by the browser.  Symantec Encryption Management Server does not use any external content by default, so these attacks are not feasible against users connecting to the Symantec Encryption Management Server.  These attacks require an attacker to know the exact bytes and location of those bytes *before* the client sends them to the server.  Due to the Symantec Encryption Management Server architecture, there is no possibility of putting a client in a compromising position unless introduced by custom content.  Customers should take extra precaution when customizing UI or templates to ensure external JavaScript is not used.  Although audits detect these false positives for BEAST, CRIME, and POODLE, exploiting these vulnerabilities on the server is not possible by default.
Starting with Symantec Encryption Management Server 3.3.2 MP11, the RC4 cipher has been removed.
Etrack: 3362451
Additional References:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566

 

CVE-2013-2929
Description: GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag is not enabled, treats version 1 X.509 certificates as intermediate CAs
Conclusion: Symantec Encryption Management Server does not use GnuTLS for any of its secure transactions.  OpenSSL is used instead and is not vulnerable to this report.  Furthermore, starting with Symantec Encryption Management Server 3.3.2 MP3, GnuTLS is no longer included as a package.
Etrack: 3453811
Additional References:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2929
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2929

CVE-2013-4286
Description: tomcat: multiple content-length header poisoning flaws
Conclusion: SEMS 3.4.0 and above contain a fix for this.
Etrack: 3506632
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4286


CVE-2013-4322, CVE-2014-0050, CVE-2013-4590, CVE-2014-0050
Description:apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream
Conclusion: This report is fixed in SEMS 3.4.0 and above.
Etrack: 3618432
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0050
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4322
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0050

CVE-2013-4365
Description: mod_fcgid: heap overflow
Conclusion: SEMS does not use mod_fcgid and is not vulnerable to this report.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4365
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4365
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4365

CVE-2013-4483
Description:
The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service
Etrack: n/a
Conclusion: Since Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable.  External users do not have access to this part of the OS.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4483
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4483
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4483

CVE-2013-5704
Description: httpd: bypass of mod_headers rules via chunked requests
Conclusion: SEMS 3.4 and above include a fix for this.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5704
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5704

CVE-2013-4554
Description:
Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges
Conclusion: This applies only to the xen kernel.  Symantec Encryption Management Server does not run the xen kernel does not run guest operating systems.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4554
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4554
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4554

 

CVE-2013-6381
Description:
Buffer overflow in the qeth_snmp_command function in drivers/s390/net/qeth_core_main.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service
Conclusion: Since Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable.  External users do not have access to this part of the OS.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6381
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6381
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6381

 

CVE-2013-6383
Description:
The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call.
Conclusion: Since Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable.  External users do not have access to this part of the OS.  Furthermore, Symantec includes a hardware compatibility list in which QA tests each hardware configuration as listed in the Release Notes of each major version, and undergo testing specifically for the hardware.  Many customers choose to install in VMware, which would make this non-applicable.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6383
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6383

CVE-2013-6450, CVE-2013-6449, CVE-2013-4353
Description: openssl: crash in DTLS renegotiation after packet loss
Conclusion: Symantec Encryption Management Server does not use the affected version of openssl in this report and is not affected.
Etrack: 3482319
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6450
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6449
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4353

CVE-2013-6885
Description:
The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service
Conclusion: Since Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, this is not applicable.  External users do not have access to this part of the OS.  Furthermore, Symantec includes a hardware compatibility list in which QA tests each hardware configuration as listed in the Release Notes of each major version, and undergo testing specifically for the hardware.  Many customers choose to install in VMware, which would make this non-applicable.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6885
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6885
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6885

 

CVE-2013-7263
Description:
The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c
Conclusion: Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable.  External users do not have access to this part of the OS.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7263
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7263

 

CVE-2013-7265
Description:
The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory
Conclusion: Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable.  External users do not have access to this part of the OS.  No third-party applications are allowed on the Symantec Encryption Management Server without the written consent of Symantec. 
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7265
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7265
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7265

 

CVE-2014-0076
Description:
The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.
Conclusion: Symantec Encryption Management Server does not use the Elliptic Curve ciphers, and furthermore, in order to exploit this vulnerability, local access must be provided, which by default, is not provided.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0076

 

CVE-2014-0092
Description: Lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers
Conclusion: Symantec Encryption Management Server does not use GnuTLS for any of its secure transactions.  OpenSSL is used instead and is not vulnerable to this report.  Furthermore, starting with Symantec Encryption Management Server 3.3.2 MP3, GnuTLS is no longer included as a package.
Etrack: 3453811
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0092
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0092

CVE-2014-0095
Description: Apache Tomcat 8: Denial of service via AJP requests with content length zero
Conclusion: SEMS 3.4 and above now use newer packages of tomcat than offered by RHEL.  SEMS 3.4 and above are not vulnerable to this report.
Etrack: 4059949
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0095
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0095

CVE-2014-1643
Description:
Symantec Encryption Management Server Web Email Protection View User’s Email
Conclusion: For more information on this vulnerability, please review Additional References below:
Etrack: 3234187, 3234179, 3234172
Additional References:
See this article for information on this security advisory.
For the Symantec Alert of this advisory, see AL1532.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1643
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1643

 

CVE-2014-1643
Description:
Symantec Encryption Management Server Web Email Protection View User’s Email
Conclusion: For more information on this vulnerability, please review Additional References below:
Etrack: 3234187, 3234179, 3234172
Additional References:
See this (http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2014&suid=20140205_00) article for information on this security advisory.
For the Symantec Alert of this advisory, see AL1532 (http://www.symantec.com/docs/AL1532).
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1643
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1643

 

CVE-2014-0160
Description:
openssl: information disclosure in handling of TLS heartbeat extension packets
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug
Conclusion: Symantec Encryption Management Server, as well as other Symantec Encryption products are not vulnerable to this report.  Symantec Encryption Management Server uses OpenSSL 0.9.8, which is unaffected.

Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
Etrack: 3483355

Additional References:
http://www.symantec.com/docs/TECH216516
http://www.symantec.com/docs/TECH216640
http://www.symantec.com/docs/TECH216642
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0160
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160

CVE-2014-0195
Description:
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS
Conclusion: Datagram Transport Layer Security (DTLS) provides SSL over UDP.  Symantec Encryption Management Server does not use any DTLS services and is not be vulnerable.  Symantec Encryption Management Server only offers SSL over TCP.
Etrack: 3529313
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0195

 

CVE-2014-0198
Description:
The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.
Conclusion: Does not apply to the version of openssl included with Symantec Encryption Management Server and is therefore, not vulnerable.  Symantec Encryption Management Server 3.3.2 MP1 and previous use version 0.9.8e-26-el5_9.1.  For Symantec Encryption Management Server 3.3.2 MP2 and above, OpenSSL 0.9.8e-27.el_10.3.
Etrack: 3544560
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0198
https://access.redhat.com/security/cve/CVE-2014-0198

 

CVE-2014-0221
Description:
The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
Conclusion: Datagram Transport Layer Security (DTLS) provides SSL over UDP.  Symantec Encryption Management Server does not use any DTLS services and is not be vulnerable.  Symantec Encryption Management Server only offers SSL over TCP.
Although the Symantec Encryption Management Server is not vulnerable for the reasons mentioned, in response to the security vulnerability, Symantec has updated the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9..  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3529313, 3529315, 3740101, and 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0221
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0221

 

CVE-2014-0224
Description:
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications
Conclusion: Symantec Encryption Management Server 3.3.2 MP2 included a fix for this with an updated version of OpenSSL.  Symantec has provided further updates to the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9.  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3529315, 3740101, and 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224

CVE-2013-0485
Description:  IBM JDK: unspecified flaw (Libraries)
Conclusion: This is resolved in SEMS 3.4.0 and above
Etrack: 3482349
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0485
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0485

CVE-2013-1897
Description: LDAP Anonymous Directory Access Permitted to Symantec Encryption Management Server
Conclusion: This sometimes comes up in certain vulnerability scans stating too much access is provided anonymously.  This is the intended behavior and is working this way to be able to provide keys for secure data exchange.  Encryption Management Server is used as a keyserver and as such, makes keys available for searches based on anonymous bind.
No other information, and no other parts of the server containing user information is made available except those keys, which are intended to be found and is secure.  This applies to all versions of Symantec Encryption Management Server.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1897
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1897
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1897


CVE-2013-6438
Description: httpd: mod_dav denial of service via crafted DAV WRITE request
Conclusion: This is resolved in SEMS 3.4.0 and above
Etrack: 3482497
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6438

CVE-2014-0119
Description: Tomcat/JBossWeb: XML parser hijack by malicious web application
Conclusion: This was resolved in SEMS 3.3.2 MP7 and above
Etrack: 3618432, 3613320
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0119
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0119
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0119

CVE-2014-0878
Description: IBM JDK: Vulnerability in the IBMSecureRandom implementation of the IBMJCE and IBMSecureRandom cryptographic providers
Conclusion: This is specific to the IBM JDK only.  SEMS uses Oracle Java.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0878
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0878
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0878

CVE-2014-1959
Description: Gnutls: incorrect handling of V1 intermediate certificates
Conclusion: Symantec Encryption Management Server does not use GnuTLS for any of its secure transactions.  OpenSSL is used instead and is not vulnerable to this report.  Furthermore, starting with Symantec Encryption Management Server 3.3.2 MP3, GnuTLS is no longer included as a package.
Etrack: 3453811
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1959

 

CVE-2014-3470
Description:
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used
Conclusion: Symantec Encryption Management Server does not use the Elliptic Curve Diffie–Hellman (ECDH) cipher.
To find out which ciphers are used, run:
openssl ciphers -v
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3470

 

CVE-2014-3566
Description:
openssl: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data
Conclusion: Symantec Encryption Management Server is not vulnerable to POODLE, however version 3.3.2 MP9 has included a release to completely disable SSL v3.0 from being used.  For more information, see KB TECH225779.
Etrack: 3642153, 3740101
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
https://access.redhat.com/articles/1232123
https://symiq.corp.symantec.com/support/tSites/SRMSS/srl/Lists/Posts/Post.aspx?ID=952
https://www.openssl.org/~bodo/ssl-poodle.pdf

 

CVE-2014-4877
Description:
wget: FTP symlink arbitrary filesystem access
Conclusion: Symantec Encryption Management Server does not use wget to perform any of its operations and would require root access to the server, which is not configured by default.
Etrack: 3650952
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-4877
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877

 

CVE-2014-6271
Description:
Shellshock - bash: specially-crafted environment variables can be used to inject shell commands
Conclusion: Symantec Encryption Management Server is not vulnerable to this report as no unauthenticated, remote access is provided to the server, via the UI, or command line.
Etrack: 3630417
Additional References:
http://www.symantec.com/docs/TECH225009
https://www.youtube.com/watch?v=XIsUWwJaOeU&feature=youtu.be
http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

 

CVE-2014-6277
Description:
bash: untrusted pointer use issue leading to code execution
Conclusion: Symantec Encryption Management Server is not vulnerable to this report as no unauthenticated, remote access is provided to the server, via the UI, or command line.
Etrack: 3630417
Additional References:

http://www.symantec.com/docs/TECH225009
https://www.youtube.com/watch?v=XIsUWwJaOeU&feature=youtu.be
http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277

 

CVE-2014-6278
Description:
bash: code execution via specially crafted environment variables
Conclusion: Symantec Encryption Management Server is not vulnerable to this report as no unauthenticated, remote access is provided to the server, via the UI, or command line.
Etrack: 3630417
Additional References:
http://www.symantec.com/docs/TECH225009
https://www.youtube.com/watch?v=XIsUWwJaOeU&feature=youtu.be
http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278

 

CVE-2014-7169
Description:
bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271)
Conclusion: Symantec Encryption Management Server is not vulnerable to this report as no unauthenticated, remote access is provided to the server, via the UI, or command line.
Etrack: 3630417
Additional References:
http://www.symantec.com/docs/TECH225009
https://www.youtube.com/watch?v=XIsUWwJaOeU&feature=youtu.be
http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169


CVE-2014-7287
Description:
The key-management component in Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allows remote attackers to trigger unintended content in outbound e-mail messages via a crafted key UID value in an inbound e-mail message, as demonstrated by the outbound Subject header.
Conclusion: This is resolved in Symantec Encryption Management Server MP7 and above.
Etrack: 3616161, 3840267
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7287
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7287


CVE-2014-7288
Description: Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allow remote authenticated administrators to execute arbitrary shell commands via a crafted command line in a database-backup restore action.
Conclusion: This is resolved in Symantec Encryption Management Server MP7 and above.
Etrack: 3673746, 3840267
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7288
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7288
 

CVE-2014-7810
Description: Tomcat/JbossWeb: security manager bypass via EL expressions
Conclusion: This is resolved in Symantec Encryption Management Server MP8 and above.
Etrack: 3723517, 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-7810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7810
 

CVE-2014-8176
Description: Invalid free in DTLS
Conclusion: Symantec Encryption Management Server has no services that use DTLS and cannot be impacted by flaws with DTLS.  Furthermore, the version of OpenSSL used by Symantec Encryption Management Server does not have the flawed implementation (RHEL 5 does not use the affected version).
Etrack: 3824996
Additional References:
https://access.redhat.com/security/cve/CVE-2014-8176
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8176
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8176
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8176


CVE-2014-8730
Description: TLS: incorrect check of padding bytes when using CBC cipher suites
Conclusion: As noted in the CVE description "NOTE: the scope of this identifier is limited to the F5 implementation only". 
As Symantec Encryption Management Server is not related to F5, this is not affected, and any version of OpenSSL, TLS, etc., does not specifically apply to Symantec Encryption Management Server.
Furthermore, the packages listed in the report also does not apply to RHEL 5, 6, or 7 (Symantec Encryption Management Server uses a variant of RHEL 5) as stated at access.redhat.com.
Etrack: 3683901
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8730
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730
https://access.redhat.com/security/cve/CVE-2014-8730

CVE-2014-2421
CVE-2014-4216
CVE-2015-0395
CVE-2014-6601
CVE-2015-0412
CVE-2015-0408
CVE-2015-0407
CVE-2015-0406
CVE-2015-0403
CVE-2015-0400
CVE-2015-0484
CVE-2015-0458
CVE-2015-0460
CVE-2015-0492
CVE-2015-0491
CVE-2015-0459
CVE-2015-0469
CVE-2015-0480
CVE-2015-4732
CVE-2015-4733
CVE-2015-2638
CVE-2015-4760
CVE-2015-2628
CVE-2015-4731
CVE-2015-2621
CVE-2015-2619
CVE-2015-2637
CVE-2015-2632
CVE-2015-2596
CVE-2015-4729
Description:
Oracle Java Vulnerability Reports
Conclusion: Applies to client deployment of Java only.  When Oracle mentions client deployment, it means an application that downloads third-party byte-code to execute in the java virtual machine.  SEMS does not run java in client deployment mode and faces no risk or impact from client deployment vulnerabilities.  SEMS runs java services with a web interface that require authentication.  That means attackers would have to successfully log in before using the service (that prevents remote unauthenticated attackers).  No local, or shell, access is granted via java services.
Etrack: 3840267
 

CVE-2015-0235
Description:
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18...aka "GHOST."
Conclusion: For more information on GHOST, see article TECH228598.
Etrack: 3714569
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235

 

CVE-2015-0204
Description: openssl: only allow ephemeral RSA keys in export ciphersuites (FREAK)
Conclusion: Symantec Encryption Management Server is not affected by this issue as it denies export ciphers through explicit configuration.
Although the Symantec Encryption Management Server is not vulnerable for the reasons mentioned, in response to the security vulnerability, Symantec has updated the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9.  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3760856, 3740101, 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204

 

CVE-2015-0207
Description: Openssl: DTLS segmentation fault in DTLSv1_listen
Conclusion: Symantec Encryption Management Server is not vulnerable to this report as no services use DTLS.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0207
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0207

 

CVE-2015-0208
Description: Openssl: segmentation fault for invalid PSS parameters
Conclusion: Symantec Encryption Management Server is not affected by this report as the PGPSDK handles these operations on the backend.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0208
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0208
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0208

 

CVE-2015-0209
Description: Openssl: use-after-free on invalid EC private key import
Conclusion: SEMS is not impacted by this report because the implementation of OpenSSL currently being used has no support for elliptic curve keys.  Furthermore, Symantec Encryption Management Server is not affected by this report as the PGPSDK handles these operations on the backend.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0209

 

CVE-2015-0285
Description: Openssl: handshake with unseeded PRNG
Conclusion: Symantec Encryption Management Server is not affected by this report as the issue only manifests in OpenSSL 1.0.2, a version which is not in use by Symantec Encryption Management Server.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0285
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0285

 

CVE-2015-0286
Description: openssl: invalid pointer use in ASN1_TYPE_cmp()
Conclusion: Symantec Encryption Management Server is not affected by this report as the affected function does not exist in the version of OpenSSL used by SEMS.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0286

 

CVE-2015-0287
Description: Openssl: ASN.1 structure reuse memory corruption
Conclusion: Symantec Encryption Management Server is not affected by this report as the PGPSDK handles these operations on the backend.
Although the Symantec Encryption Management Server is not vulnerable for the reasons mentioned, in response to the security vulnerability, Symantec has updated the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9.  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3760856, 3740101, 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0287
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0287

 

CVE-2015-0288
Description: Openssl: X509_to_X509_REQ NULL pointer dereference
Conclusion: Symantec Encryption Management Server is not affected by this report as the PGPSDK handles these operations on the backend.
Although the Symantec Encryption Management Server is not vulnerable for the reasons mentioned, in response to the security vulnerability, Symantec has updated the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9.  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3760856, 3740101, 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0288
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0288

 

CVE-2015-0289
Description: Openssl: PKCS7 NULL pointer dereference
Conclusion: Symantec Encryption Management Server is not affected by this report as the PGPSDK handles these operations on the backend.  OpenSSL clients and servers are not affected by this report.
Although the Symantec Encryption Management Server is not vulnerable for the reasons mentioned, in response to the security vulnerability, Symantec has updated the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9.  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3760856, 3740101, 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0289
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0289

 

CVE-2015-0290
Description: Openssl: multiblock corrupted pointer
Conclusion: Symantec Encryption Management Server is not affected by this report as the affected logic does not exist in the version of OpenSSL used by Symantec Encryption Management Server.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0290
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0290
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0290

 

CVE-2015-0291
Description: Openssl: ClientHello sigalgs NULL pointer dereference DoS
Conclusion: Symantec Encryption Management Server is not affected by this report as the affected logic does not exist in the version of OpenSSL used by Symantec Encryption Management Server.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0291
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0291
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0291

 

CVE-2015-0292
Description: Openssl: integer underflow leading to buffer overflow in base64 decoding
Conclusion: Symantec Encryption Management Server is not affected by this report as the PGPSDK handles these operations on the backend.
Although the Symantec Encryption Management Server is not vulnerable for the reasons mentioned, in response to the security vulnerability, Symantec has updated the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9.  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3760856, 3740101, 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0292
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0292
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0292

 

CVE-2015-0293
Description: Openssl: assertion failure in SSLv2 servers
Conclusion: Symantec Encryption Management Server is not impacted by this report as the only service available to remote users that uses OpenSSL is explicitly configured to disallow SSLv2.
Although the Symantec Encryption Management Server is not vulnerable for the reasons mentioned, in response to the security vulnerability, Symantec has updated the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9.  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3760856, 3740101, 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0293


CVE-2015-0383
Description:
OpenJDK: insecure hsperfdata temporary file handling
Conclusion: This report applies to client and server deployment of Java. Exploited by SEMS not impacted as unauthenticated remote attackers do not have access to the file system.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0383
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0383


CVE-2015-0410
Description:
OpenJDK: DER decoder infinite loop
Conclusion: Applies to client and server deployment of Java. SEMS uses the PGP SDK to handle DER encoded input therefore not impacted.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0410


CVE-2015-1787
Description: Openssl: segmentation fault in client authentication with empty CKE and DHE
Conclusion: Symantec Encryption Management Server is not affected by this report as the affected logic does not exist in the version of OpenSSL used by Symantec Encryption Management Server.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1787
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1787


CVE-2015-1793
Description: openssl: alternative chains certificate forgery
Conclusion: This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.  Symantec Encryption Management Server uses OpenSSL 0.9.8e-27.el5_10.3 and is not affected by this report.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1793
https://www.openssl.org/news/secadv_20150709.txt


CVE-2014-0114, CVE-2015-0899, CVE-2016-6795, CVE-2017-5638
Description: Apache Struts 1: input validation bypass in MultiPageValidator
Conclusion: Symantec Encryption Management Server is not affected by this report because Apache Struts is not in use by the server.
Etrack: 3511372, 4038286
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0899
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0899
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0899


CVE-2015-1788
Description: OpenSSL: Malformed ECParameters causes infinite loop
Conclusion: This issue does not affect the versions of openssl package as shipped with Red Hat Enterprise Linux 5, 6 and 7.
Etrack: 3824978
Additional References:
https://access.redhat.com/security/cve/CVE-2015-1788
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1788
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1788

CVE-2015-1789
Description:
Exploitable out-of-bounds read in X509_cmp_time
Conclusion: Symantec Encryption Management Server MP11 has resolved this issue.   
Etrack: 3824986
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1789
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1789
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1789


CVE-2015-1790
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.
Description: PKCS7 crash with missing EnvelopedContent.  An attacker able to make an application using OpenSSL verify, decrypt, or parse a specially crafted PKCS#7 input could cause that application to crash.
Conclusion: Symantec Encryption Management Server MP11 has resolved this issue. 
Etrack: 3824990, 3824986
Additional References:
https://access.redhat.com/security/cve/CVE-2015-1790
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1790
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1790


CVE-2015-1791
Description: Race condition handling NewSessionTicket
Conclusion: This issue does NOT affect the version of OpenSSL package as shipped with Red Hat Enterprise Linux 5.  Symantec Encryption Management Server is therefore not affected by this report.
Etrack: 3824992
Additional References:
https://access.redhat.com/security/cve/CVE-2015-1791
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1791
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1791


CVE-2015-1792
Description: CMS verify infinite loop with unknown hash function
Conclusion: This issue does NOT affect the version of OpenSSL package as shipped with Red Hat Enterprise Linux 5.  Symantec Encryption Management Server is therefore not affected by this report.
Etrack: 3824991 
Additional References:
https://access.redhat.com/security/cve/CVE-2015-1792
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1792
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1792
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1792‚Äč
 


CVE-2015-2601
Description:
OpenJDK: non-constant time comparisons in crypto code
Conclusion: This applies to client and server deployment of Java. SEMS uses PGP SDK for cryptography, not java JCE, and is not impacted.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2601
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2601


CVE-2015-2625
Description:
OpenJDK: name for reverse DNS lookup used in certificate identity check
Conclusion: This applies to the installation process on client deployment of Java. SEMS not impacted as there is no client deployment.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2625
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2625


CVE-2015-2627
Description:
Oracle JDK: unspecified vulnerability fixed in 6u101, 7u85 and 8u51
Conclusion: This applies to client and server deployment of JSSE.  Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote attackers to affect confidentiality via unknown vectors related to installation. SEMS is not impacted as there is no installation after SEMS deployment.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2627
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2627
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2627


CVE-2015-2808
Description: The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase.  Also known as "Bar Mitzvah".
Conclusion: This is an extension of CVE-2013-2566, and is currently being reviewed by Symantec Dev.  RC4 as it exists on Symantec Encryption Management Server is not easily exploited.  An attacker must record and analyze 1 billion connections to find one weak key (one chance per billion connections) and then it starts over.
BEAST, CRIME, and POODLE, and in this case, "Bar Mitzvah", require the browser to run the attacker's JavaScript so that the attacker knows what the content is before it gets encrypted by the browser.  Symantec Encryption Management Server does not use any external content by default, so these attacks are not feasible against users connecting to the Symantec Encryption Management Server.  These attacks require an attacker to know the exact bytes and location of those bytes *before* the client sends them to the server.  Due to the Symantec Encryption Management Server architecture, there is no possibility of putting a client in a compromising position unless introduced by custom content.  Customers should take extra precaution when customizing UI or templates to ensure external JavaScript is not used.  Although audits detect these false positives for BEAST, CRIME, and POODLE, exploiting these vulnerabilities on the server is not possible by default.
Starting with Symantec Encryption Management Server 3.3.2 MP11, the RC4 cipher has been removed.
Etrack: 3362451
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2808
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2808


CVE-2015-4000
Description:
LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks
Conclusion: The TLS server services on Symantec Encryption Management Server are not vulnerable to logjam attacks on Diffie-Hellman because export ciphers are explicitly disabled.
Although exceptionally unlikely, Client services using OpenSSL or NSS may be forced into downgrading to an export cipher via a large-scale, supercomputing MITM effort when connecting to servers that allow the DH export ciphers.
Symantec Encryption Management Server 3.3.2 MP11 addresses Logjam threats through TLS. There are no services running on the server that are vulnerable to Logjam. There are other facilities installed on the server that do not run and that the system does not use, which scanners may detect as being vulnerable to Logjam. 
Symantec Encryption Management Server version 3.3.2 MP13 completely addresses the Logjam report.
Etrack: 3790840, 3824986
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-4000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000


CVE-2015-4749
Description:
OpenJDK: DnsClient fails to release request information after error
Conclusion: This applies to client and server deployment of Java.  Unauthenticated remote attackers cannot force java services to make a flurry of DNS requests, and cannot exhaust DNS transaction ids through the same.  SEMS is not vulnerable to this report.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-4749
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4749
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4749


CVE-2015-5174
Description: tomcat: URL Normalization issue
Conclusion: Symantec Encryption Management Server is flagged as vulnerable to this report due to version matching with Tomcat, however Symantec Encryption Management Server is not vulnerable to this report.
Only requests made from specific services controlled by the Symantec Encryption Management Server have access.  Symantec Encryption Management Server will automatically prevent this vulnerability.
Etrack: 3917042
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5174


CVE-2015-5345
Description: tomcat: directory disclosure
Conclusion: Symantec Encryption Management Server is flagged as vulnerable to this report due to version matching with Tomcat, however Symantec Encryption Management Server is not vulnerable to this report.
Only requests made from specific services controlled by the Symantec Encryption Management Server have access.  Symantec Encryption Management Server will automatically prevent this vulnerability.
Etrack: 3917042
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5345


CVE-2015-5346
Description: tomcat: Session fixation
Conclusion: Although the Symantec Encryption Management Server has a vulnerable package, the Symantec Encryption Management Server does not use the SSL session ID and is configured to prevent this attack and is therefore not vulnerable to this report. 
Etrack: 3917042
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5346
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5346
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5346


CVE-2015-5351
Description: tomcat: CSRF token leak
Conclusion: Symantec Encryption Management Server is flagged as vulnerable to this report due to version matching with Tomcat, however Symantec Encryption Management Server is not vulnerable to this report.
Only requests made from specific services controlled by the Symantec Encryption Management Server have access.  Symantec Encryption Management Server will automatically prevent this vulnerability.
Etrack: 3918913
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5351
 

CVE-2015-7547
Description:
A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries.
Conclusion: This issue does not affect the versions of glibc as shipped with Red Hat Enterprise Linux 3, 4 and 5.  Symantec Encryption Management Server 3.3.2 is not vulnerable to this report as the version of Linux is CentOS 5.
Etrack: 3912954
Additional References:
https://access.redhat.com/security/cve/cve-2015-7547
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 
 

CVE-2015-7575
Description:
TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol
Conclusion: SEMS does not use java for TLS client authentication and is not impacted by this report.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7575
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7575

CVE-2015-8150
Description: Symantec Encryption Management Server (SEMS) 3.3.2 before MP12 allows local users to obtain root access by modifying a batch file.
Conclusion: This is documented on the Symantec Security Response Page
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8150
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8150


CVE-2015-8149
Description: The LDAP service in Symantec Encryption Management Server (SEMS) 3.3.2 before MP12 allows remote attackers to cause a denial of service (heap memory corruption and service outage) via crafted requests.
Conclusion: This is documented on the Symantec Security Response Page
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8149
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8149
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8149


CVE-2015-8151
Description: Symantec Encryption Management Server (SEMS) 3.3.2 before MP12 allows remote authenticated users to execute arbitrary OS commands by leveraging console administrator access.
Conclusion: This is documented on the Symantec Security Response Page
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8151
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8151
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8151


CVE-2016-0402
Description:
OpenJDK: URL deserialization inconsistencies
Conclusion: Applies to client deployment of Java only and therefore SEMS is not impacted by this report.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0402


CVE-2016-0466
Description:
OpenJDK: insufficient enforcement of totalEntitySizeLimit
Conclusion: SEMS 3.3.2 MP13 has an affected version of java, however does not process XML and is therefore not impacted by this report.  Remote attackers cannot send XML to Java so these attacks are not possible on SEMS.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0466


CVE-2016-0483
Description:
OpenJDK: insufficient enforcement of totalEntitySizeLimit
Conclusion: Unauthenticated remote attackers cannot send JPG to Java so these attacks are not possible on SEMS.  SEMS Administrators with the proper permissions who can submit JPGs for Web Email Protection customization still cannot exploit the vulnerability because those images are never processed by AWT.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0483
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0483
 

CVE-2016-0703
Description: Openssl: Divide-and-conquer session key recovery in SSLv2
Conclusion: This report relies on SSLv2.  Symantec Encryption Management Server does not use SSLv2, and will not accept SSLv2 connections, and is therefore not vulnerable.
Etrack: 3918913
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0703
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0703
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0703


CVE-2016-0706
Description: Apache Tomcat Security Manager
Conclusion: Symantec Encryption Management Server is flagged as vulnerable to this report due to version matching with Tomcat, however Symantec Encryption Management Server is not vulnerable to this report.
Only requests made from specific services controlled by the Symantec Encryption Management Server have access.  Symantec Encryption Management Server will automatically prevent this vulnerability.
Etrack: 3917042
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0706


CVE-2016-0714 
Description: tomcat: Security Manager bypass via persistence mechanisms
Conclusion: Although Symantec Encryption Management Server has a package that is vulnerable, Symantec Encryption Management Server is not vulnerable to this report without installing a malicious web app on the server, which is not possible externally.   It is not possible to exploit this report in its default configuration.
Etrack: 3917042
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0714
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0714

CVE-2016-0762
Description: tomcat: timing attack in Realm implementation
Conclusion: This does not impact SEMS as SEMS does not use Realms.
Etrack: 4054765
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0762
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0762

CVE-2016-0763
Description: tomcat: security manager bypass via setGlobalContext()
Conclusion: Although Symantec Encryption Management Server has a package that is vulnerable, Symantec Encryption Management Server is not vulnerable to this report without installing a malicious web app on the server, which is not possible externally.   It is not possible to exploit this report in its default configuration.
Etrack: 3917042
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0763


CVE-2016-0777
Description: OpenSSH: Client Information leak due to use of roaming connection feature
Conclusion: Symantec Encryption Management Server uses OpenSSL V4 and does not use the Roaming feature mentioned.  As noted in the CVE report:
*The "roaming" feature of OpenSSH clients was introduced in OpenSSH-5.4. Therefore Red Hat Enterprise Linux 4, 5, and 6 are not affected by this flaw.
*Red Hat Enterprise Linux 4, 5, and 6 are not affected by this flaw because they include OpenSSH versions older than 5.4, and hence do not implement the roaming feature.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0777
https://access.redhat.com/articles/2123781


CVE-2016-0778
Description: OpenSSH: Client buffer-overflow when using roaming connections
Conclusion: Symantec Encryption Management Server uses OpenSSL V4 and does not use the Roaming feature mentioned.  As noted in the CVE report:
*The "roaming" feature of OpenSSH clients was introduced in OpenSSH-5.4. Therefore Red Hat Enterprise Linux 4, 5, and 6 are not affected by this flaw.
*Red Hat Enterprise Linux 4, 5, and 6 are not affected by this flaw because they include OpenSSH versions older than 5.4, and hence do not implement the roaming feature.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0778
https://access.redhat.com/articles/2123781


CVE-2016-0800
Description: SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
Conclusion: This report relies on SSLv2.  Symantec Encryption Management Server does not use SSLv2, and will not accept SSLv2 connections, and is therefore not vulnerable.
Etrack: 3918913
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800

CVE-2016-1583
Description: kernel: Stack overflow via ecryptfs and /proc/$pid/environ
Conclusion: In order to be able to exploit this report, a local user is required.  Symantec Encryption Management Server does not make available any local users, and is therefore, not affected by this report.
Etrack: 4038271
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1583
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1583
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1583

CVE-2016-2181
Description: openssl: DTLS replay protection bypass allows DoS against DTLS connection
Conclusion: Datagram Transport Layer Security (DTLS) provides SSL over UDP.  Symantec Encryption Management Server does not use any DTLS services.  Symantec Encryption Management Server only offers SSL over TCP.
Etrack: 3989781
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2181
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2181


CVE-2016-2183
Description: SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
Conclusion: Symantec Encryption Management Server 3.4.1 resolves this fully, as per the release notes:
"Resolved the potential security vulnerability for SSL/TLS noted in CVE-2016-2183 by applying the patch provided by Red Hat Enterprise Linux, thus preventing attacks against 64-bit block ciphers."
Previous to 3.4.1, Symantec Encryption Management Server does allow the affected cipher but will try to use other, more secure ciphers before falling back to the affected cipher.  Symantec Encryption Management Server will only use the affected cipher after a browser, or other client, rejects the more secure ciphers.  Symantec does not believe an attack against Symantec Encryption Management Server is feasible and already features the vendor-recommended mitigations. 
Update Jan 30, 2019: Although SEMS 3.4.1 already mitigates this issue, SEMS 3.4.2 MP2 and above will no longer use TLS 1.0 by default for its server-client communications.  If Encryption Clients version 10.3.x are being used, TLS 1.0 can be re-enabled for backward compatibility with the assistance of support.
Etrack: 3989781
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2183


CVE-2016-2776
Description:bind: assertion failure in buffer.c while building responses to a specifically constructed request
Conclusion: This was fixed in Symantec Encryption Management Server 3.4.1.  For more information, see the release notes.
Etrack: 4005768
Additional References:
https://support.symantec.com/en_US/article.DOC9292.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2776

CVE-2016-2834
Description: nss: Multiple security flaws (MFSA 2016-61)
Conclusion: SEMS has an affected nss package but is not impacted.  OpenSSL and PGP SDK handle the tasks where nss would be affected.
Etrack: 4054768
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2834
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2834

CVE-2016-2848
Description: bind: assertion failure triggered by a packet with malformed options
Conclusion: Symantec Encryption Management Server does not have a name server, which is necessary for this report to happen and is therefore, unaffected.
Etrack: 4038285
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2848
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2848

CVE-2016-3503
Description: Oracle JDK: unspecified vulnerability fixed in 6u121, 7u111, and 8u101 (Install)
Conclusion: This report applies only to the client installation process in client deployments.  SEMS is a server deployment and is not impacted.
Etrack: 3976238
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3503
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3503
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3503


CVE-2016-3500
Description: OpenJDK: maximum XML name limit not applied to namespace URIs (JAXP, 8148872)
Conclusion: Maximum XML name limit not applied to namespace URIs
Etrack: 3976238
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3500
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3500

CVE-2016-3508
Description: OpenJDK: missing entity replacement limits (JAXP, 8149962)
Conclusion: SEMS is not impacted because it’s not possible for an attacker to submit an XML bomb to the java application on SEMS.
Etrack: 3976238
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3508
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3508

CVE-2016-3511
Description: Oracle JDK: unspecified vulnerability fixed in 7u111 and 8u101 (Deployment)
Conclusion: This report  applies to only client deployment.  SEMS uses a Server deployment and is not affected.
Etrack: 3976238
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3511
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3511

CVE-2016-3606
Description:  OpenJDK: insufficient bytecode verification (Hotspot, 8155981)
Conclusion: This report  applies to only client deployment.  SEMS uses a Server deployment and is not affected.
Etrack: 3976238
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3606
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3606

CVE-2015-3642
Description: TLS and DTLS Padding Validation Vulnerability in Citrix NetScaler Application Delivery Controller and NetScaler Gateway
Conclusion: This is specific to Citrix, and not related to SEMS and is not affected.
Etrack: 3931491
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3642
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3642
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3642


CVE-2016-5195
Description: Dirty COW privilege escalation report - race condition in copy-on-write breakage of private read-only memory mappings
Conclusion: The Symantec Encryption Management Server 3.4.1 is not affected by this.  On all versions prior to this, the copy-on-write flaw requires local access.  Symantec Encryption Management server (any version) does not provide non-administrative local access and prevents the opportunity for attacks that target the copy-on-write defect. 
Etrack: 4010837
Additional References:
https://support.symantec.com/en_US/article.DOC9292.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5195


CVE-2016-5181 CVE-2016-5182 CVE-2016-5183 CVE-2016-5184 CVE-2016-5185, CVE-2016-5186, CVE-2016-5187, CVE-2016-5188, CVE-2016-5189, CVE-2016-5190, CVE-2016-5191, CVE-2016-5192, CVE-2016-5193, CVE-2016-5194
Description:  Multiple Chromium reports against Symantec Encryption Management Server.
Conclusion: Symantec Encryption Management Server does not use Chromium and is therefore, not affected.
Etrack: 4038268
Additional References: n/a
 

CVE-2016-5285
Description: nss: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash
Conclusion: SEMS has an affected nss package but is not impacted.  OpenSSL and PGP SDK handle the tasks where nss would be affected
Etrack: 4054768
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5285
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5285
 

CVE-2016-5290, CVE-2016-5291,CVE-2016-5296, CVE-2016-5297, CVE-2016-9064, CVE-2016-9066, CVE-2016-1240
Description:  Mozilla browser
Conclusion: SSEMS 3.4.1 does not use Mozilla, so this does not apply. Furthermore, the report states Windows is the only OS affected.  SEMS uses Linux.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5290
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5291
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5296
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5297
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9064
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9066
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1240

CVE-2016-5425
Description: tomcat: Local privilege escalation via systemd-tmpfiles service
Conclusion: Symantec Encryption Management Server does not use the affected Tomcat version from Redhat.
Etrack: 4054765
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5425
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5425

CVE-2016-5556, CVE-2016-5568, CVE-2016-5582, CVE-2016-5573, CVE-2016-5597, CVE-2016-5554, CVE-2016-5542
Description: Oracle JDK Security Reports
Conclusion: As per the review done by Oracle, this report does not apply to Java deployments in servers that load and run only trusted code.  Symantec Encryption Management Server does not download or run untrusted code.  As a result, Symantec Encryption Server is not affected by this report.
Etrack: 4009968
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5556
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5556
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5556
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixJAVA


CVE-2016-6304
Description: openssl: OCSP Status Request extension unbounded memory growth
Conclusion: This is resolved in SEMS 3.4.1
Etrack: 3989781
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6304
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6304
 

CVE-2016-6325
Description: tomcat: tomcat writable config files allow privilege escalation
Conclusion: Symantec Encryption Management Server does not use the affected Tomcat version from Redhat.
Etrack: 4054765
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6325
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6325


CVE-2016-6797, CVE-2016-5018, CVE-2016-6794, CVE-2016-6796
Description: Local-Only vulnerabilities in Tomcat
Conclusion: As per the review done by Oracle, this report does not apply to Java deployments in servers that load and run only trusted code.  Symantec Encryption Management Server does not download or run untrusted code.  As a result, Symantec Encryption Server is not affected by this report.
Etrack: 4038276
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6797
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6797
 

CVE-2016-6816
Description: tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests
Conclusion: Symantec Development and Security teams reviewed this issue and did not encounter any methods to exploit with this report and therefore SEMS is not vulnerable to this report.
Etrack: 4054765
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6816
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6816
 

CVE-2016-7053
Description: openssl: CMS Null dereference vulnerability
Conclusion: This report does not affect OpenSSL versions prior to 1.1.0.  SEMS uses 1.0.1e and is not affected.
Etrack: 4054766
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7053
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7053


CVE-2016-7054
Description: openssl: Corrupting larger payloads when using ChaCha20/Poly1305 ciphersuites leads to DoS
Conclusion: This report does not affect OpenSSL versions prior to 1.1.0.  SEMS uses 1.0.1e and is not affected.
Etrack: 4054766
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7054
 

CVE-2016-8635
Description: nss: small-subgroups attack flaw
Conclusion: SEMS has an affected nss package but is not impacted.  OpenSSL and PGP SDK handle the tasks where nss would be affected
Etrack: 4054768
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8635
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8635
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8635

CVE-2016-8735
Description: tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener
Conclusion: SEMS does not provide access to the JMX ports to the outside and are all blocked by the firewall
Etrack: 4054765
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8735
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8735
 

CVE-2016-8864
Description: bind: assertion failure while handling responses containing a DNAME answer
Conclusion: Symantec Encryption Management Server does not have a name server, which is necessary for this report to happen and is therefore, unaffected.
Etrack: 4054767
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8864


CVE-2016-7855
Description: flash-plugin: use-after-free issue fixed in APSB16-36
Conclusion: Symantec Encryption Management Server does not use the vulnerable software, and is not affected by this report.
Etrack:4038281
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7855
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7855
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7855
 

CVE-2017-3253, CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2016-8328, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3260, CVE-2017-3261, CVE-2017-3262, CVE-2017-3272, CVE-2017-3289
Description: Multiple Oracke JDK reports
Conclusion: SEMS has an affected java package but does not use the affected library and is not impacted.
Etrack:4059623, 4058855
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3253
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3253
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3253

CVE-2017-8046
Description: spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code
Conclusion: Symantec Encryption Management Server is not affected by this report because it does not contain the affected software mentioned
Etrack: 4182002
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8046
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8046


CVE-2017-15361
Description: The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module (TPM) firmware, such as versions before 0000000000000422 - 4.34, before 000000000000062b - 6.43, and before 0000000000008521 - 133.33, mishandles RSA key generation.  aka, ROCA
Conclusion: This report refers to Infineon’s hardware product and its broken implementation of the OpenPGP standard.  The advisory is related to a faulty implementation that allows recovery of private keys using the public key.  This report is completely separate from the OpenPGP technology used by Symantec’s PGP implementation.  Symantec’s Encryption product’s keys are generated properly and safely and do not suffer from the issues revealed by the researchers.
If a key was generated by Infineon’s system and was subsequently imported into a Symantec Encryption product, the key should be revoked and a new key should be generated by a Symantec Encryption product.
Etrack: 4136330
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15361


CVE-2019-9702
Description: Symantec Endpoint Encryption Privilege Escalation
Conclusion: Symantec Endpoint Encryption 11.3 includes a fix for this issue.  For Symantec Encryption Desktop, see the below Symantec articles for mitigation and recommendations on this report.
Etrack: n/a
Additional References:
https://support.symantec.com/us/en/article.tech149543.html
https://support.symantec.com/us/en/article.SYMSA1485.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9702
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9702


CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
Description: ZombieLoad: hardware: Microarchitectural Fill Buffer Data Sampling (MFBDS).  This report is related to the hardware flaw found in some CPUs.
Conclusion: Local user access is required to exploit this flaw.  SEMS does not offer local user access and as a result is not vulnerable to local user attacks.  As these flaws are in the hardware, the solution is a combination of operating system and CPU firmware updates.  Virtual machines may potentially be impacted as local users in a separate virtual machine can attempt attacks against other virtual machines sharing the same physical CPU affected by these hardware flaws.  Firmware updates cannot be applied to the CPU from virtual machines so Symantec recommends working with your virtual solutions vendor to ensure proper mitigation steps have been taken to secure and update the firmware on machines hosting virtual servers.  SEMS running on hardware is not impacted by these flaws.
Etrack: 4240240
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-12130  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130

 

CVE-2020-0543, CVE-2020-0548, CVE-2020-0549
Description: CVE-2020-0543 hw: Special Register Buffer Data Sampling (SRBDS), CVE-2020-0548 hw: Vector Register Data Sampling, CVE-2020-0549 hw: L1D Cache Eviction Sampling
Conclusion: In order to make use of this report, local user access is required to exploit this flaw.  SEMS does not allow local access login by default.  SEMS installed on physical hardware is not at risk as there is no local access configured. Virtual machines may potentially be impacted as local users in a separate virtual machine can attempt attacks against other virtual machines sharing the same physical CPU affected by these hardware flaws.  Firmware updates cannot be applied to the CPU from virtual machines so Symantec recommends working with your virtual solutions vendor to ensure proper mitigation steps have been taken to secure and update the firmware on machines hosting virtual servers. SEMS running on hardware is not impacted by these flaws.
Etrack: 4240240, 4269072
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-12130   
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130


CVE-2020-9484
Description: Apache Tomcat: Important: Remote Code Execution via session
persistence
Conclusion:  Remote execution can only be achieved if a series of 4 requirements are met.  Failing to meet even a single requirement is enough to prevent remote code execution.  
SEMS avoids all four requirements and is not impacted by this report.  
Etrack: 4269072
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-9484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9484
https://access.redhat.com/security/cve/cve-2020-9484


CVE-2020-11996
Description: Apache Tomcat: Important: HTTP/2 DoS CVE-2020-11996
Conclusion: SEMS does not support HTTP/2 requests and is therefore not affected by this report.
Etrack: 4269072
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-11996
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11996
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11996
https://access.redhat.com/security/cve/cve-2020-11996

 

CVE-2020-14556
Description: OpenJDK: Incorrect handling of access control context in ForkJoinPool (Libraries, 8237117)
Conclusion: SEMS does not use ForkJoinPool and is therefore not impacted by this report.
The current version of SEMS 10.5 does uses OpenJDK and does not apply to this report.
Symantec Etrack: 4269119
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14556
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14556
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14556


CVE-2020-14577
Description: OpenJDK: HostnameChecker does not ensure X.509 certificate names are in normalized form (JSSE, 8237592)
Conclusion: SEMS does not run the HostnameChecker code and therefore is not vulnerable to this flaw.  
SEMS uses its own proprietary PGP SDK code when proper verification is needed.
The current version of SEMS 10.5 does uses OpenJDK and does not apply to this report.
Symantec Etrack: 4269119
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14577
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14577


CVE-2020-14578
CVE-2020-14579
Description: OpenJDK: Unexpected exception raised by DerInputStream (Libraries, 8237731)
Conclusion: SEMS uses its own internal PGP SDK code to handle these operations and is therefore not impacted by these reports.
The current version of SEMS 10.5 does uses OpenJDK and does not apply to these reports.
Symantec Etrack: 4269119
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14578
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14578


CVE-2020-14581
Description: OpenJDK: Information disclosure in color management (2D, 8238002)
Conclusion: SEMS uses the code to read an image's dimensions but does not use this same code to access image color management information where this flaw is reported and is therefore not impacted by this flaw.
The current version of SEMS 10.5 does uses OpenJDK and does not apply to this report.
Symantec Etrack: 4269119
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14581
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14581
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14581


CVE-2020-14583
CVE-2020-14593
Description: OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access (Libraries, 8238920)
Conclusion: These reports are specific to clients only and are not applicable to SEMS.   
The current version of SEMS 10.5 does uses OpenJDK and does not apply to this report.
Symantec Etrack: 4269119
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14583
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14583
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14583


CVE-2020-14621
Description: OpenJDK: XML validation manipulation due to incomplete application of the use-grammar-pool-only feature (JAXP, 8242136)
Conclusion: SEMS contains the affected package, however, Symantec Security teams have tested and this is not impacted by this report.
The current version of SEMS 10.5 does uses OpenJDK and does not apply to this report.
Symantec Etrack: 4269119
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14621
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14621
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14621


NOTE: In cases where a vulnerability may have been exploited, and is not included in this list, contact Symantec Enterprise Division support for review.

 

Applies To

 

This article takes into account Symantec Encryption Management Server 3.3.0 MP1 and above.  When considering CVEs, it is recommended to be at the latest version of the Encryption Management Server to be covered by any recent security fixes.