Common Vulnerabilities and Exposures (CVEs) applicable to Symantec Encryption Management Server and Symantec Endpoint Encryption
search cancel

Common Vulnerabilities and Exposures (CVEs) applicable to Symantec Encryption Management Server and Symantec Endpoint Encryption

book

Article ID: 157729

calendar_today

Updated On:

Products

Encryption Management Server Drive Encryption Desktop Email Encryption Endpoint Encryption File Share Encryption Gateway Email Encryption PGP Command Line PGP Key Management Server PGP Key Mgmt Client Access and CLI API PGP SDK PGP Encryption Suite

Issue/Introduction

This article is designed to provide Administrators of Symantec Encryption Management Server with a listing of reported CVEs that Symantec Enterprise Division Development and Security teams have reviewed and resolved in the current release of the Encryption Management Server.  This list may not contain all the CVEs that have been reported, this list contains only those CVEs that have been reviewed by Symantec Enterprise Division Development and resolved, or that are known with reasonable workarounds.

Each release of Symantec Encryption Management Server goes through a series of security reviews and security scans to ensure it is ready to be placed in public-facing deployments.  As such, with each release new security updates may be applied and is actively vetted by rigorous security processes.

Where Symantec Enterprise Division Development does not list the CVEs as a fixed package, but the CVE has been reviewed, an explanation is given on what the status of the CVE may be as it applies to the Encryption Management Server.

Vulnerability scanners typically scan for specific package versions and are not usually attempting to exploit any actual vulnerability.  the Encryption Management Server uses customized packages and is a customized Linux operating system itself based on CentOS.

The Encryption Management Server may still come up in those scans due to the fact that server is a customized Linux operating system, and the packages may not correspond with what the Vulnerability Scanners are finding.  This does not mean the server is still susceptible to the CVE listed, but that we package the fixes differently.  In fact, Symantec Enterprise Division Development documents all the CVEs listed in these packages that are fixed in the CVEs.



Important Notes:
Installing third-party applications, or using customized scripts outside of written/contractual approvals/agreements is not supported and may void the support warranty.  Symantec Encryption Management Server is scanned for security and is considered a locked box, similar to an appliance.  As a result, SEMS is considered a secure device and making changes to the system could introduce security-related issues, therefore installing any third-party software is highly discouraged and is not supported.  For more information on this topic, see article 206673.

If any further information is needed for any of the items discussed in this article, contact support for more assistance. 

Resolution

CVE reports are obtained in various ways, but the most common method is through a security scanner that will inquire which packages exist on the PGP server.  Security applications, scanners, or otherwise should never be allowed to be installed on the Symantec Encryption Management Server (PGP Server).  Doing so could introduce potential security concerns and could also void the support warranty.  

In addition to installing third-party scanners as mentioned above, running scans in an "Authenticated" fashion should be done with extreme care.  Never provide the credentials to the command line interface (SSH Access or otherwise) in order to perform a scan.  If the PGP server needs to be scanned for packages, run a command to dump all the RPM packages that reside on the PGP server and provide this to the appropriate security team for review.  Providing command line access via credentials gives too much access to data and other critical components in the filesystem and should never be given to anyone who is not directly responsible for the data that resides on the server.   

If you need to get a full list of all the RPMs installed on the PGP server to be provided to your security team, you can do so by running the following command:

rpm -qa >> /tmp/rpm-dump-pgp-server.log

This file can then be copied off of the PGP server and provided to the security team for review. 

For further guidance on this, please reach out to Symantec Encryption Support.

 

It is possible to create an output of all the CVEs that have been included in a specific version of Symantec Encryption Management Server.  To do so, SSH access to the Encryption Management Server is required.  To output all the CVEs that have been resolved, run the following command:

rpm -qa --changelog | grep CVE | sort > /tmp/CVE-List.txt

TIP: For convenience, a full dump of the Red Hat Kernel Changelog has been attached to this article, however, this same information is available on any version of SEMS needed.  Check the Download Files section of the article on the top-right hand corner of the screen to download these files.

Once this command has been run, it will build a list of all the CVEs that have been addressed in the packages specified.  It is then possible to grep for the CVE specifically.

 

 

 

In this example, CVE-2007-2953 will be searched by running the following command:

 

grep -i CVE-2007-2953 CVE-List.txt

 

If the CVE was included in a version of Symantec Encryption Management Server, the results will be displayed as is the case in the following example:

 

[root@keys ~]# grep -i CVE-2007-2953 CVE-List.txt
- add fixes for CVE-2007-2953 and CVE-2008-2712
- add fixes for CVE-2007-2953 and CVE-2008-2712
- add fixes for CVE-2007-2953 and CVE-2008-2712

 

This output indicates the fix was included in one of the packages.  Not all information is provided in the return, but simply that the fix was included as a fix.

If the CVE does not show up in the list, please see below for other information related to the CVE.

CVEs not on the list above as having a package fixing the issue, but have shown up in Vulnerability scans are listed below with more information:

 

PGP Key Generation:
All keys generated by Symantec Encryption products are generated using the unmodified output of a NIST SP800-90A approved DRBG.
 

Description: Symantec Encryption Management Server and Diffie-Hellman Primes
Some Vulnerability scanners may flag Symantec Encryption Management Server as using DH Primes (aka Groups).
Conclusion: If some scanners flag Symantec Encryption Management Server as using DH Primes, this does not mean it is vulnerable to attack.  As stated on the researcher's site, "If you have a web or mail server, you should disable support for export cipher suites and use a 2048-bit Diffie-Hellman group."
Symantec Encryption Management Server already uses a safe Diffie-Hellman Prime with 2048-bits.  Specifically, Symantec Encryption Management Server uses a Prime of 14 (Group 14), which the researcher has stated is safe.  As a result, these scanners are displaying false positives.
Etrack: 4181957

TLS 1.0/1.1 Protocol
Symantec Encryption Management Server 3.4.2 MP2 and above use TLS 1.2 exclusively for all communications, including the Administration portal, Symantec Encryption Desktop connections and Web Email Protection.  All these services use TLS 1.2 sessions for maximum security.  Symantec Encryption Management Server does continue to make TLS 1.0/1.1 available to enable legacy clients to communicate with the server, but will not use this service for Web Email Protection, the web interface on any port, or any of its services.  TLS 1.0/1.1 are disabled by default starting with SEMS 3.4.2 MP2 and above.


Security Scans show HTTP Security Header Not Detected for Symantec Encryption Management Server
CVE: n/a
Headers mentioned in the Security Scan:
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Conclusion:
These HTTP Security Headers apply to browsers and instruct the browser to behave securely.  Not having these headers does not introduce any vulnerability on the server.  Following browser security best practices and by using security products such as Symantec Endpoint Protection can help protect browsers from attack.
 
The Following are the headers typically included in security scans, the status of each, and how it relates to SEMS:
X-Frame-Options
X-XSS-Protection
Status:
SEMS already supports these headers.  Scans citing these headers as missing are false positives and do not actually attempt to exploit any attack mentioned in the scan.


X-Content-Type-Options
Status:
SEMS does not support the header “X-Content-Type-Options: nosniff” as it can cause issues with some browsers. However, Symantec continues to investigate the possibility of including this header in a future release of SEMS.


Content-Security-Policy
Strict-Transport-Security (HSTS HTTP Strict Transport Security)
Status:
These headers help the browser know that HTTPS should be used with a given application.  SEMS 3.4.2 MP1 and older already explicitly force HTTPS for all applicable applications through an alternate, browser-independent method on the server.  
SEMS 3.4.2 MP2 now uses "content-security-policy" and "strict-transport-security".  To avoid this showing up on your scans, update to SEMS 3.4.2 MP2.


Cache-Control

Status: Scans will erroneously state Symantec Encryption Management Server uses no-cache improperly.  SEMS does use the Cache-Control HTTP header when sending confidential information.


Cookie Set Without HTTPOnly Attribute

Description: Vulnerability scanners may report Symantec Encryption Management Server uses cookies without the HTTPOnly attribute set during authentication operations, an attribute setting which may help prevent session hijacking and XSS attacks.
Conclusion: Setting the HTTPOnly attribute for cookies is recommended, *unless* the application needs to access the cookie through a script.  Symantec Encryption Management server has a need to access the cookie in this way, and as a result, must not be set.  All necessary precautions are taken in how cookies are used to prevent against actual XSS attacks on the server.
Etracks: 3675669, 4163931
Additional References:
https://www.owasp.org/index.php/HttpOnly


*DNS cache poisoning/DNS Redirection
*Host Header Redirection/URL Redirection
*Host Header injection/manipulation

Description: Vulnerability scans may report Symantec Encryption Management Server as prone to the above manipulations.  If these manipulations happen, the SEMS potentially could redirect credentials, DNS lookups to external sources, URLs, or other items.  These reports host header methods that may be in place and allow such activities, such as TRACE methods, OPTIONS methods, or otherwise.
Conclusion: Symantec Encryption Management Server uses some options mentioned above; however, all of these types of attacks deal with client exploits, rather than server weaknesses.  This means the attacker would need to take control over the client machine/browser to be able to attempt these attacks.  If a client is compromised, much more serious attacks could be carried out which a server-side setting would not prevent.

As a result, making these changes does not add more security for the end user, because these attacks rely on the client being exploited first.  To fully mitigate these attacks, it is necessary to run endpoint security software, such as Symantec Endpoint Protection, which would protect against clients being compromised. 
Etracks: 3838822, 3984326, 3949226, 4201304, 4202454
Additional References:
https://cwe.mitre.org/data/definitions/406.html
https://cwe.mitre.org/data/definitions/918.html


Are Symantec Encryption Products affected by Meltdown/Spectre (CVE-2017-5753,  CVE-2017-5715, and CVE-2017-5754)?

For more information on Meltdown and Spectre, see article Meltdown and Spectre: Are Encryption Products Affected?.


Symantec Encryption Management Sever 3.3/3.4 (SEMS)/Symantec Endpoint Encryption Management Server 11 (SEEMS) and Apache Struts
CVE examples:
CVE-2018- 11776, CVE-2014-0114, CVE-2015-0899, CVE-2016-6795, CVE-2017-5638, CVE-2014-0114, CVE-2015-0899, CVE-2016-6795, CVE-2017-5638, CVE-2021-31805
Neither Symantec Encryption Management Server nor Symantec Endpoint Encryption Management Server and the managed clients (Symantec Encryption Desktop/Symantec Endpoint Encryption) use Apache Struts and would be a false positive.  No security reports affected by Apache Struts affects SEMS or SEEMS as this is not installed on either of these servers.


Symantec Decomposer Engine Vulnerability Report SYM16-010

The Symantec Encryption product family is not affected by this report.
See the Symantec Security Advisories page for more information on this report.


LDAP Anonymous Directory Access Permitted to Symantec Encryption Management Server
Description: This sometimes comes up in certain vulnerability scans stating too much access is provided anonymously.  This is the intended behavior and is working this way to be able to provide keys for secure data exchange.  Encryption Management Server is used as a keyserver and as such, makes keys available for searches based on anonymous bind. 
No other information, and no other parts of the server containing user information is made available except those keys, which are intended to be found and is secure.  This applies to all versions of Symantec Encryption Management Server.


LDAP NULL BASE for Symantec Encryption Management Server keyserver service
Some vulnerability scanners may flag Symantec Encryption Management server as having an “LDAP NULL BASE”.  LDAP NULL BASE is provided to search for public keys on Symantec Encryption Management Server without the need to enter specific information on the keyserver for a successful return of public keys.  This does not, however, provide any further access to the server other than finding public keys.  Many LDAP servers require authentication and may feature non-public information.  The public keyserver on Symantec Encryption Management Server is an LDAP service that requires no authentication and contains only public information so there is no concern in allowing a null base.


Some Scanners report weak ciphers enabled on Symantec Encryption Management Server for SSH
CVE: n/a

Conclusion: Although some scanners flag Symantec Encryption Management Server for weak algorithms on SSH, these alerts are false positives.  Symantec Encryption Management Server already includes the vendor’s fix that detects and negates attacks against weak ciphers.
Update Jan 30, 2019: Although SEMS did not use weak ciphers by default, SEMS 3.4.2 MP2 updated the list of ciphers and will prevent these from being displayed in security scans.
Etrack: 4001689


Description: Some scanners report weak ciphers being enabled on Symantec Encryption Management Server for TLS

CVE: n/a
Conclusion: By default, Symantec Encryption Management Server is explicitly configured to use strong encryption ciphers for TLS, but may fall back to legacy ciphers if a client refuses to use stronger ciphers.
Update Jan 30, 2019: Although SEMS did not use weak ciphers by default, SEMS 3.4.2 MP2 updated the list of ciphers and will prevent these from being displayed in security scans.
Etrack:4001685


Is SEMS 3.4.1 RFC 5961 compliant?

CVE: n/a
Etrack: 4061079
Conclusion: As per the RHEL Kernel Changelog, SEMS 3.4.1 is fully RFC 5961 compliant.  See attached changelog for more details including resolved CVE-2016-5696 related to this report.
kernel 2.6.32-642.6.1.el6
- [net] tcp: make challenge acks less predictable (Florian Westphal) [1355606
1355607] {CVE-2016-5696}
kernel 2.6.32-564.el6 change log
- [net] conntrack: RFC5961 challenge ACK confuse conntrack LAST-ACK transition
(Jesper Brouer) [1200541 1212801]
- [net] tcp: Restore RFC5961-compliant behavior for SYN packets (Jesper Brouer)
[1200541 1212801]
kernel 2.6.32-364.el6 change log
- [net] tcp: RFC 5961 5.2 Blind Data Injection Attack Mitigation (Weiping Pan)

[843126]
- [net] tcp: refine SYN handling in tcp_validate_incoming (Weiping Pan) [843126]
- [net] tcp: implement RFC 5961 4.2 (Weiping Pan) [843126]
- [net] tcp: implement RFC 5961 3.2 (Weiping Pan) [843126]


Is Symantec Encryption Management Server vulnerable to the CWE-203, AKA ROBOT Attack?

Symantec Engineering and Security teams have reviewed this report and have found the SEMS to not be vulnerable. 
Etrack: 4148363
Additional References:
http://www.kb.cert.org/vuls/id/144389
https://robotattack.org/


CVE-1999-0472
Description:
The SNMP default community name "public" is not properly removed in NetApps C630 Netcache, even if the administrator tries to disable it.
Conclusion: SNMP is disabled by default on Symantec Encryption Management Server and when Symantec Encryption Management Server Administrators enables SNMP, it defaults to the public community string.  Nothing in the data provided via SNMP can be used to gain access to the system.
Etrack: 3190697
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0472
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0472


CVE-2002-1378
Description:
Multiple buffer overflows in OpenLDAP2 (OpenLDAP 2) 2.2.0 and earlier allow remote attackers to execute arbitrary code
Conclusion: This has to do with openldap version 2.2.0 and earlier.  Symantec Encryption Management Server uses "openldap-2.3.43-12" and the reason this shows up in scanners is these bundles are customized with a PGP package, causing the scanners to not pick up what is expected.
To check the version via SSH (Read-only), run: rpm -qa |grep openldap
This will provide the current version Symantec Encryption Management Server uses.
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1378
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1378


CVE-2002-1379 
Description:
OpenLDAP2 (OpenLDAP 2) 2.2.0 and earlier allows remote or local attackers to execute arbitrary code when libldap reads the .ldaprc file within applications
Conclusion: This has to do with openldap version 2.2.0 and earlier.  Symantec Encryption Management Server uses "openldap-2.3.43-12" and the reason this shows up in scanners is these bundles are customized with a PGP package, causing the scanners to not pick up what is expected.
To check the version via SSH (Read-only), run: rpm -qa |grep openldap
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-1379   
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1379


CVE-2003-1418
Description:
Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive information via (1) the ETag header
Conclusion: Although Symantec Encryption Management Server uses a different version than reported here, this was found to be an issue and has been fixed in Symantec Encryption Management Server 3.3.0 MP3 (Build 9307) and above.
Etrack: 3113829, 2472470, 2473521
Additional References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1418
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1418


CVE-2004-0230
Description:
TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service
Conclusion: In order to perform a connection reset an attacker would need to know the source and destination ip address and ports as well as being able to guess the sequence number within the window, which is generally short-lived.  These requirements greatly reduce the ability to trigger this connection RST.  The major BGP peers have recently switched to requiring md5 signatures which mitigates against this attack.
Given the requirements for this, the issue does not pose a serious threat to Symantec Encryption Management Server.  Additionally, Red Had does not have any plans for action on this issue.
Etrack: 3231917, 3228403
Additional References:
http://lwn.net/Articles/81560/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0230
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0230


CVE-2004-0790
Description: Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack."
Conclusion: This issue was fixed in Red Hat/Fedora Core since Linux kernel 2.6.9.  Symantec Encryption Management Server uses kernel version 2.6.18-371.1.2.el5PAE and is not affected by this report.
Etrack: 3805312
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0790
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0790


CVE-2004-0791
Description: Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets,
Conclusion: This issue was fixed in Red Hat/Fedora Core since Linux kernel 2.6.9.  Symantec Encryption Management Server uses kernel version 2.6.18-371.1.2.el5PAE and is not affected by this report.
Etrack: 3805312
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2004-0791 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0791
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0791


CVE-2004-1060
Description: Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP
Conclusion: This issue was fixed in Red Hat/Fedora Core since Linux kernel 2.6.9.  Symantec Encryption Management Server uses kernel version 2.6.18-371.1.2.el5PAE and is not affected by this report.
Etrack: 3805312
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1060
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-1060


CVE-2006-4110
Description:
Apache 2.2.2, when running on Windows, allows remote attackers to read source code of CGI programs via a request that contains uppercase (or alternate case) characters
Conclusion: This has to do with apache 2.2.2 on Windows.  Symantec Encryption Management Server uses httpd-2.2.17-3.5 on Linux so this issue does not apply to Symantec Encryption Management Server .  
To find this out on a Symantec Encryption Management Server, run:
rpm -qa |grep httpd
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4110
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4110


CVE-2006-4145
Description:
The Universal Disk Format (UDF) filesystem driver in Linux kernel 2.6.17 and earlier allows local users to cause a denial of service (hang and crash) via certain operations involving truncated files, as demonstrated via the dd command.
Conclusion: CVEs note this is already fixed in 2.6.18 and didn't affect Red Hat Enterprise Linux 5.  Symantec Encryption Management Server has 2.6.18, so it was not vulnerable.  Run 'uname -r' to confirm the kernel version on Symantec Encryption Management Server via SSH.  Furthermore, it states in the changelog since at least 3.3.0 this is fixed.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2006-4145
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4145
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4145


CVE-2007-1741
Description:
Multiple race conditions in suexec in Apache HTTP Server (httpd) 2.2.3 between directory and file validation.
Conclusion: This does not affect Symantec Encryption Management Server as it requires local user access, which is not granted by the Symantec Encryption Management Server hardened OS. 
Etrack: 2941502
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1741
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1741


CVE-2007-1742
Description:
suexec in Apache HTTP Server (httpd) 2.2.3 uses a partial comparison for verifying whether the current directory is within the document root, which might allow local users to perform unauthorized operations on incorrect directories, as demonstrated using "html_backup" and "htmleditor" under an "html" directory. NOTE: the researcher, who is reliable, claims that the vendor disputes the issue because "the attacks described rely on an insecure server configuration" in which the user "has write access to the document root."
Conclusion: Symantec Encryption Management Server does not configure local users by default, and must be configured manually by a Super User Administrator in order to have access.  No external access to the operating system is provided to users in this way.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-1742
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1742
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1742


CVE-2007-1743
Description:
Suexec in Apache HTTP Server (httpd) 2.2.3 does not verify combinations of user and group IDs on the command line
Conclusion: Similar to CVE-2007-1741, Symantec Encryption Management Server is not affected by this as it requires local user access, which is not granted by Symantec Encryption Management Server.
Etrack: 2941502
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1743
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-1743


CVE-2007-6203
Description:
Apache HTTP Server 2.0.x and 2.2.x does not sanitize the HTTP Method specifier header from an HTTP request when it is reflected back in a "413 Request Entity Too Large" error message
Conclusion: Symantec Encryption Management Server is not affected by this as this attack relies on victims to supply an arbitrary malformed HTTP method to the target site.  This is not possible on Symantec Encryption Management Server.  Previous packages have been improved and does not allow this to be exploited.
Etrack: 2941502
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6203
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6203
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6203


CVE-2007-6388
Description:
Cross-site scripting (XSS) vulnerability in mod_status in the Apache HTTP Server 2.2.0 through 2.2.6, 2.0.35 through 2.0.61, and 1.3.2 through 1.3.39
Conclusion: Symantec Encryption Management Server is not susceptible to this vulnerability and has been patched since version 3.0.  This has been resolved in httpd-2.2.3-11.el5_1.3.i386.rpm and mod_ssl-2.2.3-11.el5_1.3.i386.rpm.
Symantec Encryption Management Server 3.3.0 runs httpd-2.2.17-3.5pgp and contains the fix for this.
Etrack: 2472471
Additional References:
https://rhn.redhat.com/errata/RHSA-2008-0008.html#Red
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6388
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6388


CVE-2007-6420
Description:
Cross-site request forgery (CSRF) vulnerability in the balancer-manager in mod_proxy_balancer for Apache HTTP Server 2.2.x
Conclusion: Red Hat does not plan on correcting this issue as it poses a very low security risk.  The balancer manager is not enabled by default and the user targeted by the CSRF would need to be authenticated.  The consequences of an exploit would be limited to a web server denial of service.
Etrack: 2941502
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6420
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6420
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6420


CVE-2007-6750
Description:
The Apache HTTP Server 1.x and 2.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests.
Conclusion: This has been resolved in 3.3.1 MP1 (Build 13266) and above.   If updating to this version is not possible, contact support for a workaround that can be applied via SSH.  Reference this article when contacting support.
Etrack: 3310403
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6750
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6750
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-6750


CVE-2008-0005
Description:
Od_proxy_ftp in Apache 2.2.x before 2.2.7-dev, 2.0.x before 2.0.62-dev, and 1.3.x before 1.3.40-dev does not define a charset
Conclusion: Symantec Encryption Management Server is not susceptible to this vulnerability and has been patched since version 3.0.
This has been resolved in httpd-2.2.3-11.el5_1.3.i386.rpm and mod_ssl-2.2.3-11.el5_1.3.i386.rpm (Red Hat Enterprise Linux v. 5 server)
Symantec Encryption Management Server 3.3.0 runs httpd-2.2.17-3.5pgp and contains the fix for this.
Etrack: 2472471
Additional References:
https://rhn.redhat.com/errata/RHSA-2008-0008.html#Red
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-0005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0005
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0005


CVE-2008-2168
Description:
Cross-site scripting (XSS) vulnerability Apache 2.2.6 and earlier allows remote attackers to inject arbitrary web script or HTML via UTF-7 encoded URLs that are not properly handled when displaying the 403 Forbidden error page.
Conclusion: It appears Apache 2.2.6 is vulnerable, however Symantec Encryption Management Server 3.3.2 uses httpd version 2.2.17 and apache tomcat 7.0.27.  These don't appear to be affected according to the description.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2168
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2168
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2168


CVE-2008-2364
Description:
The ap_proxy_http_process_response function in mod_proxy_http.c in the mod_proxy module in the Apache HTTP Server 2.0.63 and 2.2.8 does not limit the number of forwarded interim responses
Conclusion: Symantec Encryption Management Server is not susceptible to this vulnerability and has been patched since version 3.0.  This issue has been resolved in httpd-2.2.3-11.el5_2.4.i386.rpm and mod_ssl-2.2.3-11.el5_2.4.i386.rpm.
Symantec Encryption Management Server 3.3.0 runs httpd-2.2.17-3.5pgp and contains the fix for this.
Etrack: 2472473
Additional References:
https://rhn.redhat.com/errata/RHSA-2008-0967.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2008-2364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2364
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2364


CVE-2009-1191
Description:
Mod_proxy_ajp in Apache httpd 2.2.11 allows remote attackers to obtain sensitive information via an arbitrary request from a HTTP client, in opportunistic circumstances involving a request from a different client that included a Content-Length header but no POST data.
Conclusion: Symantec Encryption Management Server uses httpd version 2.2.17 and apache tomcat 7.0.27, so it is not affected by this CVE.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1191
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1191
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1191


CVE-2009-3720
Description:
The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.
Conclusion:  This has been addressed since Symantec Encryption Management Server 3.3.0.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-3720
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3720
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3720


CVE-2009-5138

Description: GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag is not enabled
Conclusion: Symantec Encryption Management Server does not use GnuTLS for any of its secure transactions.  OpenSSL is used instead and is not vulnerable to this report.  Furthermore, starting with Symantec Encryption Management Server 3.3.2 MP3, GnuTLS is no longer included as a package.
Etrack: 3453811
Additional References:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-5138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-5138
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-5138


CVE-2010-0425
Description:
Modules/arch/win32/mod_isapi.c in mod_isapi in the Apache HTTP Server 2.0.37 through 2.0.63, 2.2.0 through 2.2.14, and 2.3.x before 2.3.7, when running on Windows
Conclusion: Only Applies to Windows.  Symantec Encryption Management Server runs on Linux using CentOS.
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0425
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0425


CVE-2010-5298
Description:
Race condition in the ssl3_read_bytes function in s3_pkt.c in OpenSSL through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, allows remote attackers to inject data across sessions or cause a denial of service (use-after-free and parsing error) via an SSL connection in a multithreaded
environment.
Conclusion: Does not apply to the version of openssl included with Symantec Encryption Management Server and is therefore, not vulnerable.  Symantec Encryption Management Server 3.3.2 MP1 and previous use version 0.9.8e-26-el5_9.1.  For Symantec Encryption Management Server 3.3.2 MP2 and above, OpenSSL 0.9.8e-27.el_10.3.
Etrack: 3544560
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-5298
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298
https://access.redhat.com/security/cve/CVE-2010-5298


CVE-2011-1958
Description:
Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows user-assisted remote attackers to cause a denial of service
Wireshark (64bit): NULL pointer dereference by processing of a corrupted Diameter dictionary file
Affects Wireshark packages shipped with RHEL 5.  CVE site states Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 is affected.
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4 so none of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1958
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1958
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1958


CVE-2011-0411
Description: postfix: SMTP commands injection during plaintext to TLS session switch
Conclusion: This was fixed in SEMS 3.3.1 and documented in the changelog.
Etrack: 2476393
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-0411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0411
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-0411
 
 
CVE-2011-1430
Description: The STARTTLS implementation in the server in Ipswitch IMail 11.03 and earlier does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Conclusion: SEMS does not use IPswitch for any STARTTLS session and as a result, this report does not apply to SEMS.
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1430
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1430
 

CVE-2011-1431

Description: The STARTTLS implementation in qmail-smtpd.c in qmail-smtpd in the netqmail-1.06-tls patch for netqmail 1.06 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Conclusion: SEMS does not use qmail-smtpd for any STARTTLS session and as a result, this report does not apply to SEMS.
Etrack: n/a
Additional References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1431
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1431
 

CVE-2011-1432

Description: The STARTTLS implementation in SCO SCOoffice Server does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Conclusion: SEMS does not use SCOoffice for any STARTTLS session and as a result, this report does not apply to SEMS.
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1432
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1432
 

CVE-2011-1506

Description: The STARTTLS implementation in Kerio Connect 7.1.4 build 2985 and MailServer 6.x does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411. NOTE: some of these details are obtained from third party information.
Conclusion: SEMS does not use Kerio for any STARTTLS session and as a result, this report does not apply to SEMS.
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1506
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1506


CVE-2011-1959
Description:
The snoop_read function in wiretap/snoop.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 does not properly handle certain virtualizable buffers
Wireshark: Stack-based buffer over-read from tvbuff buffer when reading snoop capture files
The snoop_read function in wiretap/snoop.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 does not properly handle certain virtualizable buffers. Affects Wireshark packages shipped with RHEL 5.  CVE states Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 is affected.
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1959
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1959


CVE-2011-2165

Description: The STARTTLS implementation in WatchGuard XCS 9.0 and 9.1 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.
Conclusion: SEMS does not use WatchGuard for any STARTTLS session and as a result, this report does not apply to SEMS.
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2165
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2165


CVE-2011-2175
Description:
Integer underflow in the visual_read function in wiretap/visual.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7
Wireshark: Heap-based buffer over-read in Visual Networks dissector Integer underflow in the visual_read function in wiretap/visual.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (application crash) via a malformed Visual Networks file that triggers a heap-based buffer over-read.  Affects Wireshark packages shipped with RHEL 5.  CVE site states Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 is affected.
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2175
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2175
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2175


CVE-2011-2698
Description:
Wireshark Infinite loop in the ANSI A Interface (IS-634/IOS) dissector.  Affects Wireshark packages shipped with RHEL 5.  CVE site states Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 is affected. 
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2698
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2698
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2698


CVE-2011-3389
Description:
HTTPS: block-wise chosen-plaintext attack against SSL/TLS (BEAST)
Conclusion: Symantec Encryption Management Server 3.4 uses TLS 1.2 and is not affected by this report.  Furthermore, if updating to Symantec Encryption Management Server 3.4 is not immediately possible, Symantec Encryption Management Server does not use any external content by default, so these attacks are not feasible against users connecting to the Symantec Encryption Management Server.  These attacks require an attacker to know the exact bytes and location of those bytes *before* the client sends them to the server.  Due to the Symantec Encryption Management Server architecture, there is no possibility of putting a client in a compromising position unless introduced by custom content.  Customers should take extra precaution when customizing UI or templates to ensure external JavaScript is not used.  Although audits detect these false positives for BEAST, CRIME, and POODLE, exploiting these vulnerabilities on the server is not possible by default
Etrack: 3049666
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3389
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3389
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3389


CVE-2011-4102
Description:
Wireshark: buffer overflow in the ERF file reader.  A buffer overflow flaw was found in the way that Wireshark 1.4.0 through 1.4.9 and 1.6.0 through 1.6.2 handled reading ERF files.  Affects Wireshark packages shipped with RHEL 5.  CVE site states Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 is affected. 
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4102
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4102
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4102


CVE-2011-4317
Description:
The mod_proxy module in the Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64, and 2.2.x through 2.2.21, when the Revision 1179239 patch is in place, does not properly interact with use of (1) RewriteRule and (2) ProxyPassMatch pattern matches
Conclusion: Not affected as per analysis by Red Hat.  See reference https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4317
Etrack: 2941502
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4317
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4317


CVE-2011-4415
Description:
The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service.
Conclusion: This requires local (command line) access to  Symantec Encryption Management Server  in order to run this, which is not allowed by Symantec Encryption Management Server by default and is actually locked down.  There are no methods reported to be able to exploit this w/out having local access to the server.  In order to exploit this, "the attacker needs to be able to place a crafted .htaccess file on the server", something Symantec Encryption Management Server does not allow to anyone, unless local access to the server is obtained, which is configured only via the Symantec Encryption Management Server Superuser Admin account.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4415
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4415


CVE-2011-4577
Description:
openssl: malformed RFC 3779 data can cause assertion failures
Conclusion: The file used for packaging openssl doesn't use 'enable-rfc3779' parameter for configuration and is therefore not vulnerable to this exploit.
Etrack: 3229635
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-4577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4577
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4577


CVE-2012-0027
Description:
Openssl: invalid GOST parameters DoS attack
Conclusion: Symantec Encryption Management Server does not use GOST parameters, and is therefore not vulnerable to this.
To confirm on Symantec Encryption Management Server, run the following via SSH access:
openssl engine gost -t -c -vvvv
The end result should complain the GOST engine is not available.
Etrack: 3229635
Additional References:
http://www.openssl.org/news/secadv_20120104.txt
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0027
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0027
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0027


CVE-2012-0041
Description:

Wireshark: multiple file parser vulnerabilities (wnpa-sec-2012-01)
The dissect_packet function in epan/packet.c in Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service (application crash) via a long packet in a capture file, as demonstrated by an airopeek file.
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0041
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0041
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0041


CVE-2012-0042
Description:
Wireshark: NULL pointer vulnerabilities (wnpa-sec-2012-02)
Conclusion: Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 does not properly perform certain string conversions.
Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0042
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0042
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0042


CVE-2012-0066
Description:
Wireshark: Dos via large buffer allocation request. Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service (application crash) via a long packet.
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0066
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0066


CVE-2012-0067
Description:
Wireshark: Dos due to integer overflow in IPTrace capture format parser wiretap/iptrace.c in Wireshark 1.4.x before 1.4.11 and 1.6.x before 1.6.5 allows remote attackers to cause a denial of service.
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0067
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0067


CVE-2012-0883
Description:
Red Hat Enterprise Linux and Fedora httpd packages are unaffected due to the httpd-*-apctl.patch being applied which removes support for reading in the envvars file, where this flaw originates.
Conclusion: Symantec Encryption Management Server is not affected by this as it requires local user access, which is not granted by Symantec Encryption Management Server.
Etrack: 2941502
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0883
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0883
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0883


CVE-2012-2141
Description:
Net-snmp: Array index error, leading to out-of heap-based buffer read (snmpd crash).
Array index error in the handle_nsExtendOutput2Table function in agent/mibgroup/agent/extend.c in Net-SNMP 5.7.1 allows remote authenticated users to cause a denial of service (out-of-bounds read and snmpd crash) via an SNMP GET request for an entry not in the extension table.
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses net-snmp-5.3.2.2-17.1pgp so it is not vulnerable against this report.
Etrack: 3200333
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2141
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2141
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2141


CVE-2012-2131
Description:
openssl: incomplete fix of CVE-2012-2110 for 0.9.x
As per Redhat:
"As there were no Red Hat Enterprise Linux or Fedora updates released with an incomplete fix, they are not affected by this CVE.
Statement: Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, 5 and 6, as there were no updates released with an incomplete CVE-2012-2110 fix."
Conclusion: Symantec Encryption Management Server runs CentOS 5, and is therefore unaffected by this.
Etrack: 3229635
Additional Resources:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2131
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2131
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2131


CVE-2012-2687
Description:
Multiple cross-site scripting (XSS) vulnerabilities in the make_variant_list function in mod_negotiation.c in the mod_negotiation module in the Apache HTTP Server 2.4.x before 2.4.3, when the MultiViews option is enabled, allow remote attackers to inject arbitrary web script or HTML via a crafted filename that is not properly handled during construction of a variant list.
Conclusion: The actual Apache httpd version in Symantec Encryption Management Server 3.3.0.9060 (MP1) is 2.2.3-65.  Only Apache httpd 2.2.17 through 2.2.21 are vulnerable.  Although Symantec Encryption Management Server is not vulnerable due to it not using the affected version of Apache httpd, Symantec Encryption Management Server does not load mod_negotiation either, so it is not vulnerable to this CVE for these two reasons.
Etrack: 3212905
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-2687
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2687
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2687


CVE-2012-3417
Description:
Quota: incorrect use of tcp_wrappers
The good_client function in rquotad (rquota_svc.c) in Linux DiskQuota (aka quota) before 3.17 invokes the hosts_ctl function the first time without a host name, which might allow remote attackers to bypass TCP Wrappers rules in hosts.deny.
Conclusion: Symantec Encryption Management Server is not vulnerable to this as there are no rules in hosts file.  Symantec Encryption Management Server does not run inetd or Quota services.  Symantec Encryption Management Server also blocks all inbound traffic and filter access to services in such a way that they cannot be accessed if they were being applicable.
Etrack: 3190743
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3417
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3417
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3417


CVE-2012-3499
Description: 
Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules.
Conclusion: The Vulnerability Scanners report this particular CVE properly.  The actual version Symantec Encryption Management Server 3.3.0 uses is 2.2.3-65.  The affected modules are as follows:

mod_imagemap

mod_info

mod_ldap

mod_proxy_ftp

mod_status modules

Of the modules specified in this CVE, the only module Symantec Encryption Management Server uses is the mod_status module.  While Symantec Encryption Management Server only uses mod_status as a loaded module, Symantec Encryption Management Server does not allow any information to be returned, or malicious injection as the CVE states.  Running the following provides confirmation that this is indeed, not affecting Symantec Encryption Management Server:

1) Try to access http://<url>/server-status from other machine.
2) Try to use ‘wget http://localhost/server-status’ directly on the server itself.

When running ‘wget http://localhost/server-status” directly on the server itself, the result is a failed connection.

Any issues reported with mod_status have also been patched since 3.3.0 MP3 (Build 9307) and above.
Etrack: 3142514
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3499
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3499
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3499


CVE-2012-4285
Description:
Wireshark: crash due to zero division in DCP ETSI dissector (wnpa-sec-2012-13).
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4285
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4285


CVE-2012-4290
Description:
Wireshark DoS via excessive CPU consumption in CTDB dissector (wnpa-sec-2012-23).  The CTDB dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service.
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4290
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4290
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4290


CVE-2012-4291
Description:
Wireshark: DoS via excessive system resource consumption in CIP dissector (wnpa-sec-2012-20)
The CIP dissector in Wireshark 1.4.x before 1.4.15, 1.6.x before 1.6.10, and 1.8.x before 1.8.2 allows remote attackers to cause a denial of service
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses Wireshark 1.0.15-1.el5_6.4. None of the versions listed as having vulnerabilities are in use by Symantec Encryption Management Server.  Starting with Symantec Encryption Management Server 3.3.1.13100, Wireshark is no longer included as an installed application.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4291
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4291
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4291


CVE-2012-4558
Description:
Httpd: XSS flaw in mod_proxy_balancer manager interface
Conclusion: The actual Apache httpd version in Symantec Encryption Management Server 3.3.0.9060 (MP1) is 2.2.3-65.  Only Apache httpd 2.2.17 through 2.2.21 are vulnerable.  Although Symantec Encryption Management Server is not vulnerable due to it not using the affected version of Apache httpd, Symantec Encryption Management Server does not load mod_balancer either, so it is not vulnerable to this CVE for these two reasons.
Etrack: 3212905
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4558
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4558
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4558


CVE-2012-4929
Description:
SSL/TLS CRIME attack against HTTPS
The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data.
Conclusion: This issue is resolved in Symantec Encryption Management Server 3.3.1.13100 and above.
Etrack: 3190713
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-4929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929


CVE-2012-5568
Description:
tomcat: Slowloris denial of service.
Conclusion: This has been resolved in 3.3.1 MP1 (Build 13266) and above.   If updating to this version is not possible, contact support for a workaround that can be applied via SSH.  Reference this article when contacting support.
Etrack: 3299196, 3310403
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5568
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5568


CVE-2012-5669
Description:
Freetype: heap buffer over-read in BDF parsing _bdf_parse_glyphs() (#37906).
The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash)
Conclusion: Symantec Encryption Management Server 3.3.0.9060 uses freetype-2.2.1-28.el5_7.2, however Symantec Encryption Management Server does not allow users to upload font files so it is not affected by this vulnerability.
Etrack: 3190748
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-5669
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5669
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5669


CVE-2013-1619
Description:
Gnutls: TLS CBC padding timing attack (lucky-13)
Conclusion: This issue has been resolved in 3.3.1 GA (Build 13100) and above.  Starting with Symantec Encryption Management Server 3.3.2 MP3, GnuTLS is no longer included as a package.
Etrack: 3190753
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1619
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1619
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1619


CVE-2013-1896
Description:
Mod_dav.c in the Apache HTTP Server before 2.2.25 does not properly determine whether DAV is enabled for a URI.
Conclusion: This issue does not apply to Symantec Encryption Management Server as the server does not use mod_dav modules, which is required to be affected by this issue.
Etrack: 3275148
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1896
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1896


CVE-2013-2071

Description: tomcat: Information disclosure in asynchronous context when using AsyncListeners that threw RuntimeExceptions
Conclusion: SEMS 3.3.2 MP13 and above use updated versions and are not affected by this report.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2071
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2071
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2071


CVE-2013-2187
Description: Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.
Conclusion: This report is for Apache Archiva, how did this get flagged exactly, as it doesn't seem like this applies to us?  The Redhat source doesn't exist, so that further validates this should not apply to us.
Etrack: n/a
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2187
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2187


CVE-2013-2566
Description: The RC4 algorithm, as used in the TLS protocol and SSL protocol, has many single-byte biases, which makes it easier for remote attackers to conduct plaintext-recovery attacks.
Conclusion: This is a known concern that is currently under review by Symantec Development for final resolution. 
RC4 as it exists on Symantec Encryption Management Server is not easily exploited.  An attacker must record and analyze 1 billion connections to find one weak key (one chance per billion connections) and then it starts over.

BEAST, CRIME, and POODLE, require the browser to run the attacker's JavaScript so that the attacker knows what the content is before it gets encrypted by the browser.  Symantec Encryption Management Server does not use any external content by default, so these attacks are not feasible against users connecting to the Symantec Encryption Management Server.  These attacks require an attacker to know the exact bytes and location of those bytes *before* the client sends them to the server.  Due to the Symantec Encryption Management Server architecture, there is no possibility of putting a client in a compromising position unless introduced by custom content.  Customers should take extra precaution when customizing UI or templates to ensure external JavaScript is not used.  Although audits detect these false positives for BEAST, CRIME, and POODLE, exploiting these vulnerabilities on the server is not possible by default.
Starting with Symantec Encryption Management Server 3.3.2 MP11, the RC4 cipher has been removed.
Etrack: 3362451
Additional References:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566


CVE-2013-2929

Description: GnuTLS before 2.7.6, when the GNUTLS_VERIFY_ALLOW_X509_V1_CA_CRT flag is not enabled, treats version 1 X.509 certificates as intermediate CAs
Conclusion: Symantec Encryption Management Server does not use GnuTLS for any of its secure transactions.  OpenSSL is used instead and is not vulnerable to this report.  Furthermore, starting with Symantec Encryption Management Server 3.3.2 MP3, GnuTLS is no longer included as a package.
Etrack: 3453811
Additional References:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2929
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2929


CVE-2013-4286

Description: tomcat: multiple content-length header poisoning flaws
Conclusion: SEMS 3.4.0 and above contain a fix for this.
Etrack: 3506632
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4286


CVE-2013-4322, CVE-2014-0050, CVE-2013-4590, CVE-2014-0050
Description:apache-commons-fileupload: denial of service due to too-small buffer size used by MultipartStream
Conclusion: This report is fixed in SEMS 3.4.0 and above.
Etrack: 3618432
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0050
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4322
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0050


CVE-2013-4365

Description: mod_fcgid: heap overflow
Conclusion: SEMS does not use mod_fcgid and is not vulnerable to this report.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4365
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4365
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4365


CVE-2013-4483
Description:
The ipc_rcu_putref function in ipc/util.c in the Linux kernel before 3.10 does not properly manage a reference count, which allows local users to cause a denial of service
Etrack: n/a
Conclusion: Since Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable.  External users do not have access to this part of the OS.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4483
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4483
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4483


CVE-2013-5704

Description: httpd: bypass of mod_headers rules via chunked requests
Conclusion: SEMS 3.4 and above include a fix for this.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-5704
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5704
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5704


CVE-2013-4554
Description:
Xen 3.0.3 through 4.1.x (possibly 4.1.6.1), 4.2.x (possibly 4.2.3), and 4.3.x (possibly 4.3.1) does not properly prevent access to hypercalls, which allows local guest users to gain privileges
Conclusion: This applies only to the xen kernel.  Symantec Encryption Management Server does not run the xen kernel does not run guest operating systems.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4554
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4554
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4554


CVE-2013-6381
Description:
Buffer overflow in the qeth_snmp_command function in drivers/s390/net/qeth_core_main.c in the Linux kernel through 3.12.1 allows local users to cause a denial of service
Conclusion: Since Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable.  External users do not have access to this part of the OS.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6381
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6381
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6381


CVE-2013-6383
Description:
The aac_compat_ioctl function in drivers/scsi/aacraid/linit.c in the Linux kernel before 3.11.8 does not require the CAP_SYS_RAWIO capability, which allows local users to bypass intended access restrictions via a crafted ioctl call.
Conclusion: Since Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable.  External users do not have access to this part of the OS.  Furthermore, Symantec includes a hardware compatibility list in which QA tests each hardware configuration as listed in the Release Notes of each major version, and undergo testing specifically for the hardware.  Many customers choose to install in VMware, which would make this non-applicable.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6383
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6383


CVE-2013-6450, CVE-2013-6449, CVE-2013-4353

Description: openssl: crash in DTLS renegotiation after packet loss
Conclusion: Symantec Encryption Management Server does not use the affected version of openssl in this report and is not affected.
Etrack: 3482319
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6450
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6449
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-4353

CVE-2013-6885
Description:
The microcode on AMD 16h 00h through 0Fh processors does not properly handle the interaction between locked instructions and write-combined memory types, which allows local users to cause a denial of service
Conclusion: Since Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, this is not applicable.  External users do not have access to this part of the OS.  Furthermore, Symantec includes a hardware compatibility list in which QA tests each hardware configuration as listed in the Release Notes of each major version, and undergo testing specifically for the hardware.  Many customers choose to install in VMware, which would make this non-applicable.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6885
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6885
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6885


CVE-2013-7263
Description:
The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c
Conclusion: Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable.  External users do not have access to this part of the OS.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7263
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7263
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7263


CVE-2013-7265
Description:
The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory
Conclusion: Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable.  External users do not have access to this part of the OS.  No third-party applications are allowed on the Symantec Encryption Management Server without the written consent of Symantec. 
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-7265
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7265
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7265


CVE-2014-0076
Description:
The Montgomery ladder implementation in OpenSSL through 1.0.0l does not ensure that certain swap operations have a constant-time behavior, which makes it easier for local users to obtain ECDSA nonces via a FLUSH+RELOAD cache side-channel attack.
Conclusion: Symantec Encryption Management Server does not use the Elliptic Curve ciphers, and furthermore, in order to exploit this vulnerability, local access must be provided, which by default, is not provided.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0076
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0076


CVE-2014-0092

Description: Lib/x509/verify.c in GnuTLS before 3.1.22 and 3.2.x before 3.2.12 does not properly handle unspecified errors when verifying X.509 certificates from SSL servers
Conclusion: Symantec Encryption Management Server does not use GnuTLS for any of its secure transactions.  OpenSSL is used instead and is not vulnerable to this report.  Furthermore, starting with Symantec Encryption Management Server 3.3.2 MP3, GnuTLS is no longer included as a package.
Etrack: 3453811
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0092
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0092
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0092


CVE-2014-0095

Description: Apache Tomcat 8: Denial of service via AJP requests with content length zero
Conclusion: SEMS 3.4 and above now use newer packages of tomcat than offered by RHEL.  SEMS 3.4 and above are not vulnerable to this report.
Etrack: 4059949
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0095
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0095
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0095


CVE-2014-1643
Description:
Symantec Encryption Management Server Web Email Protection View User’s Email
Conclusion: For more information on this vulnerability, please review Additional References below:
Etrack: 3234187, 3234179, 3234172
Additional References:
See this article for information on this security advisory.
For the Symantec Alert of this advisory, see AL1532.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1643
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1643


CVE-2014-1643
Description:
Symantec Encryption Management Server Web Email Protection View User’s Email
Conclusion: For more information on this vulnerability, please review Additional References below:
Etrack: 3234187, 3234179, 3234172
Additional References:
See this (http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2014&suid=20140205_00) article for information on this security advisory.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1643
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1643


CVE-2014-0160
Description:
openssl: information disclosure in handling of TLS heartbeat extension packets
The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug
Conclusion: Symantec Encryption Management Server, as well as other Symantec Encryption products are not vulnerable to this report.  Symantec Encryption Management Server uses OpenSSL 0.9.8, which is unaffected.
Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1.
Etrack: 3483355
Additional References:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0160
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160


CVE-2014-0195
Description:
The dtls1_reassemble_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly validate fragment lengths in DTLS
Conclusion: Datagram Transport Layer Security (DTLS) provides SSL over UDP.  Symantec Encryption Management Server does not use any DTLS services and is not be vulnerable.  Symantec Encryption Management Server only offers SSL over TCP.
Etrack: 3529313
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0195
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0195
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0195


CVE-2014-0198
Description:
The do_ssl3_write function in s3_pkt.c in OpenSSL 1.x through 1.0.1g, when SSL_MODE_RELEASE_BUFFERS is enabled, does not properly manage a buffer pointer during certain recursive calls, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via vectors that trigger an alert condition.
Conclusion: Does not apply to the version of openssl included with Symantec Encryption Management Server and is therefore, not vulnerable.  Symantec Encryption Management Server 3.3.2 MP1 and previous use version 0.9.8e-26-el5_9.1.  For Symantec Encryption Management Server 3.3.2 MP2 and above, OpenSSL 0.9.8e-27.el_10.3.
Etrack: 3544560
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0198
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0198
https://access.redhat.com/security/cve/CVE-2014-0198


CVE-2014-0221
Description:
The dtls1_get_message_fragment function in d1_both.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (recursion and client crash) via a DTLS hello message in an invalid DTLS handshake.
Conclusion: Datagram Transport Layer Security (DTLS) provides SSL over UDP.  Symantec Encryption Management Server does not use any DTLS services and is not be vulnerable.  Symantec Encryption Management Server only offers SSL over TCP.
Although the Symantec Encryption Management Server is not vulnerable for the reasons mentioned, in response to the security vulnerability, Symantec has updated the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9..  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3529313, 3529315, 3740101, and 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0221
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0221
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0221


CVE-2014-0224
Description:
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications
Conclusion: Symantec Encryption Management Server 3.3.2 MP2 included a fix for this with an updated version of OpenSSL.  Symantec has provided further updates to the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9.  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3529315, 3740101, and 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0224
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224


CVE-2013-0485

Description:  IBM JDK: unspecified flaw (Libraries)
Conclusion: This is resolved in SEMS 3.4.0 and above
Etrack: 3482349
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0485
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0485
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0485


CVE-2013-1897

Description: LDAP Anonymous Directory Access Permitted to Symantec Encryption Management Server
Conclusion: This sometimes comes up in certain vulnerability scans stating too much access is provided anonymously.  This is the intended behavior and is working this way to be able to provide keys for secure data exchange.  Encryption Management Server is used as a keyserver and as such, makes keys available for searches based on anonymous bind.
No other information, and no other parts of the server containing user information is made available except those keys, which are intended to be found and is secure.  This applies to all versions of Symantec Encryption Management Server.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1897
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1897
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1897


CVE-2013-6438
Description: httpd: mod_dav denial of service via crafted DAV WRITE request
Conclusion: This is resolved in SEMS 3.4.0 and above
Etrack: 3482497
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6438
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6438
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6438


CVE-2014-0119

Description: Tomcat/JBossWeb: XML parser hijack by malicious web application
Conclusion: This was resolved in SEMS 3.3.2 MP7 and above
Etrack: 3618432, 3613320
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0119
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0119
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0119


CVE-2014-0878

Description: IBM JDK: Vulnerability in the IBMSecureRandom implementation of the IBMJCE and IBMSecureRandom cryptographic providers
Conclusion: This is specific to the IBM JDK only.  SEMS uses Oracle Java.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-0878
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0878
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0878


CVE-2014-1959

Description: Gnutls: incorrect handling of V1 intermediate certificates
Conclusion: Symantec Encryption Management Server does not use GnuTLS for any of its secure transactions.  OpenSSL is used instead and is not vulnerable to this report.  Furthermore, starting with Symantec Encryption Management Server 3.3.2 MP3, GnuTLS is no longer included as a package.
Etrack: 3453811
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-1959
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1959
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-1959


CVE-2014-3470
Description:
The ssl3_send_client_key_exchange function in s3_clnt.c in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h, when an anonymous ECDH cipher suite is used
Conclusion: Symantec Encryption Management Server does not use the Elliptic Curve Diffie–Hellman (ECDH) cipher.
To find out which ciphers are used, run:
openssl ciphers -v
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3470
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3470


CVE-2014-3566
Description:
openssl: The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data
Conclusion: Symantec Encryption Management Server is not vulnerable to POODLE, however version 3.3.2 MP9 has included a release to completely disable SSL v3.0 from being used.  For more information, see KB TECH225779.
Etrack: 3642153, 3740101
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-3566
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
https://access.redhat.com/articles/1232123
https://symiq.corp.symantec.com/support/tSites/SRMSS/srl/Lists/Posts/Post.aspx?ID=952
https://www.openssl.org/~bodo/ssl-poodle.pdf


CVE-2014-4877
Description:
wget: FTP symlink arbitrary filesystem access
Conclusion: Symantec Encryption Management Server does not use wget to perform any of its operations and would require root access to the server, which is not configured by default.
Etrack: 3650952
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-4877
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4877
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4877


CVE-2014-6271
Description:
Shellshock - bash: specially-crafted environment variables can be used to inject shell commands
Conclusion: Symantec Encryption Management Server is not vulnerable to this report as no unauthenticated, remote access is provided to the server, via the UI, or command line.
Etrack: 3630417
Additional References

http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6271
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271


CVE-2014-6277
Description:
bash: untrusted pointer use issue leading to code execution
Conclusion: Symantec Encryption Management Server is not vulnerable to this report as no unauthenticated, remote access is provided to the server, via the UI, or command line.
Etrack: 3630417
Additional References:


http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6277
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277


CVE-2014-6278
Description:
bash: code execution via specially crafted environment variables
Conclusion: Symantec Encryption Management Server is not vulnerable to this report as no unauthenticated, remote access is provided to the server, via the UI, or command line.
Etrack: 3630417
Additional References:

https://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-6278
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278


CVE-2014-7169
Description:
bash: code execution via specially-crafted environment (Incomplete fix for CVE-2014-6271)
Conclusion: Symantec Encryption Management Server is not vulnerable to this report as no unauthenticated, remote access is provided to the server, via the UI, or command line.
Etrack: 3630417
Additional References:

http://www.symantec.com/connect/blogs/shellshock-all-you-need-know-about-bash-bug-vulnerability
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-7169
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169


CVE-2014-7287
Description:
The key-management component in Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allows remote attackers to trigger unintended content in outbound e-mail messages via a crafted key UID value in an inbound e-mail message, as demonstrated by the outbound Subject header.
Conclusion: This is resolved in Symantec Encryption Management Server MP7 and above.
Etrack: 3616161, 3840267
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7287
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7287


CVE-2014-7288
Description: Symantec PGP Universal Server and Encryption Management Server before 3.3.2 MP7 allow remote authenticated administrators to execute arbitrary shell commands via a crafted command line in a database-backup restore action.
Conclusion: This is resolved in Symantec Encryption Management Server MP7 and above.
Etrack: 3673746, 3840267
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7288
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7288
 

CVE-2014-7810
Description: Tomcat/JbossWeb: security manager bypass via EL expressions
Conclusion: This is resolved in Symantec Encryption Management Server MP8 and above.
Etrack: 3723517, 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-7810
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7810
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7810
 

CVE-2014-8176
Description: Invalid free in DTLS
Conclusion: Symantec Encryption Management Server has no services that use DTLS and cannot be impacted by flaws with DTLS.  Furthermore, the version of OpenSSL used by Symantec Encryption Management Server does not have the flawed implementation (RHEL 5 does not use the affected version).
Etrack: 3824996
Additional References:
https://access.redhat.com/security/cve/CVE-2014-8176
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8176
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8176
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8176


CVE-2014-8730
Description: TLS: incorrect check of padding bytes when using CBC cipher suites
Conclusion: As noted in the CVE description "NOTE: the scope of this identifier is limited to the F5 implementation only". 
As Symantec Encryption Management Server is not related to F5, this is not affected, and any version of OpenSSL, TLS, etc., does not specifically apply to Symantec Encryption Management Server.
Furthermore, the packages listed in the report also does not apply to RHEL 5, 6, or 7 (Symantec Encryption Management Server uses a variant of RHEL 5) as stated at access.redhat.com.
Etrack: 3683901
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-8730
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8730
https://access.redhat.com/security/cve/CVE-2014-8730


CVE-2014-2421
CVE-2014-4216
CVE-2015-0395
CVE-2014-6601
CVE-2015-0412
CVE-2015-0408
CVE-2015-0407
CVE-2015-0406
CVE-2015-0403
CVE-2015-0400
CVE-2015-0484
CVE-2015-0458
CVE-2015-0460
CVE-2015-0492
CVE-2015-0491
CVE-2015-0459
CVE-2015-0469
CVE-2015-0480
CVE-2015-4732
CVE-2015-4733
CVE-2015-2638
CVE-2015-4760
CVE-2015-2628
CVE-2015-4731
CVE-2015-2621
CVE-2015-2619
CVE-2015-2637
CVE-2015-2632
CVE-2015-2596
CVE-2015-4729
Description:
Oracle Java Vulnerability Reports
Conclusion: Applies to client deployment of Java only.  When Oracle mentions client deployment, it means an application that downloads third-party byte-code to execute in the java virtual machine.  SEMS does not run java in client deployment mode and faces no risk or impact from client deployment vulnerabilities.  SEMS runs java services with a web interface that require authentication.  That means attackers would have to successfully log in before using the service (that prevents remote unauthenticated attackers).  No local, or shell, access is granted via java services.
Etrack: 3840267
 

CVE-2015-0235
Description:
Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18...aka "GHOST."
Conclusion: None of the Symantec Encryption client products are vulnerable, and neither is the Symantec Endpoint Encryption Server.
Etrack: 3714569
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235


CVE-2015-0204

Description: openssl: only allow ephemeral RSA keys in export ciphersuites (FREAK)
Conclusion: Symantec Encryption Management Server is not affected by this issue as it denies export ciphers through explicit configuration.
Although the Symantec Encryption Management Server is not vulnerable for the reasons mentioned, in response to the security vulnerability, Symantec has updated the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9.  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3760856, 3740101, 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0204
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0204


CVE-2015-0207

Description: Openssl: DTLS segmentation fault in DTLSv1_listen
Conclusion: Symantec Encryption Management Server is not vulnerable to this report as no services use DTLS.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0207
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0207
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0207


CVE-2015-0208

Description: Openssl: segmentation fault for invalid PSS parameters
Conclusion: Symantec Encryption Management Server is not affected by this report as the PGPSDK handles these operations on the backend.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0208
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0208
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0208


CVE-2015-0209

Description: Openssl: use-after-free on invalid EC private key import
Conclusion: SEMS is not impacted by this report because the implementation of OpenSSL currently being used has no support for elliptic curve keys.  Furthermore, Symantec Encryption Management Server is not affected by this report as the PGPSDK handles these operations on the backend.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0209
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0209
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0209


CVE-2015-0285

Description: Openssl: handshake with unseeded PRNG
Conclusion: Symantec Encryption Management Server is not affected by this report as the issue only manifests in OpenSSL 1.0.2, a version which is not in use by Symantec Encryption Management Server.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0285
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0285


CVE-2015-0286

Description: openssl: invalid pointer use in ASN1_TYPE_cmp()
Conclusion: Symantec Encryption Management Server is not affected by this report as the affected function does not exist in the version of OpenSSL used by SEMS.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0286
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0286
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0286


CVE-2015-0287

Description: Openssl: ASN.1 structure reuse memory corruption
Conclusion: Symantec Encryption Management Server is not affected by this report as the PGPSDK handles these operations on the backend.
Although the Symantec Encryption Management Server is not vulnerable for the reasons mentioned, in response to the security vulnerability, Symantec has updated the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9.  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3760856, 3740101, 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0287
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0287
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0287


CVE-2015-0288

Description: Openssl: X509_to_X509_REQ NULL pointer dereference
Conclusion: Symantec Encryption Management Server is not affected by this report as the PGPSDK handles these operations on the backend.
Although the Symantec Encryption Management Server is not vulnerable for the reasons mentioned, in response to the security vulnerability, Symantec has updated the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9.  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3760856, 3740101, 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0288
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0288
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0288


CVE-2015-0289

Description: Openssl: PKCS7 NULL pointer dereference
Conclusion: Symantec Encryption Management Server is not affected by this report as the PGPSDK handles these operations on the backend.  OpenSSL clients and servers are not affected by this report.
Although the Symantec Encryption Management Server is not vulnerable for the reasons mentioned, in response to the security vulnerability, Symantec has updated the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9.  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3760856, 3740101, 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0289
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0289
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0289


CVE-2015-0290

Description: Openssl: multiblock corrupted pointer
Conclusion: Symantec Encryption Management Server is not affected by this report as the affected logic does not exist in the version of OpenSSL used by Symantec Encryption Management Server.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0290
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0290
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0290


CVE-2015-0291

Description: Openssl: ClientHello sigalgs NULL pointer dereference DoS
Conclusion: Symantec Encryption Management Server is not affected by this report as the affected logic does not exist in the version of OpenSSL used by Symantec Encryption Management Server.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0291
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0291
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0291


CVE-2015-0292

Description: Openssl: integer underflow leading to buffer overflow in base64 decoding
Conclusion: Symantec Encryption Management Server is not affected by this report as the PGPSDK handles these operations on the backend.
Although the Symantec Encryption Management Server is not vulnerable for the reasons mentioned, in response to the security vulnerability, Symantec has updated the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9.  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3760856, 3740101, 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0292
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0292
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0292


CVE-2015-0293

Description: Openssl: assertion failure in SSLv2 servers
Conclusion: Symantec Encryption Management Server is not impacted by this report as the only service available to remote users that uses OpenSSL is explicitly configured to disallow SSLv2.
Although the Symantec Encryption Management Server is not vulnerable for the reasons mentioned, in response to the security vulnerability, Symantec has updated the version of OpenSSL to openssl-0.9.8e-33.el5_11 in version 3.3.2 MP9.  This also pertains to CVE-2014-3505, CVE-2014-3506, CVE-2014-3508, CVE-2014-3510, and CVE-2014-8275.
Etrack: 3760856, 3740101, 3642153.
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0293
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0293
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0293


CVE-2015-0383
Description:
OpenJDK: insecure hsperfdata temporary file handling
Conclusion: This report applies to client and server deployment of Java. Exploited by SEMS not impacted as unauthenticated remote attackers do not have access to the file system.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0383
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0383
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0383


CVE-2015-0410
Description:
OpenJDK: DER decoder infinite loop
Conclusion: Applies to client and server deployment of Java. SEMS uses the PGP SDK to handle DER encoded input therefore not impacted.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0410
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0410


CVE-2015-1787
Description: Openssl: segmentation fault in client authentication with empty CKE and DHE
Conclusion: Symantec Encryption Management Server is not affected by this report as the affected logic does not exist in the version of OpenSSL used by Symantec Encryption Management Server.
Etrack: 3760856
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1787
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1787


CVE-2015-1793
Description: openssl: alternative chains certificate forgery
Conclusion: This issue affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o.  Symantec Encryption Management Server uses OpenSSL 0.9.8e-27.el5_10.3 and is not affected by this report.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1793
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1793
https://www.openssl.org/news/secadv_20150709.txt


CVE-2015-1788
Description: OpenSSL: Malformed ECParameters causes infinite loop
Conclusion: This issue does not affect the versions of openssl package as shipped with Red Hat Enterprise Linux 5, 6 and 7.
Etrack: 3824978
Additional References:
https://access.redhat.com/security/cve/CVE-2015-1788
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1788
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1788

CVE-2015-1789
Description:
Exploitable out-of-bounds read in X509_cmp_time
Conclusion: Symantec Encryption Management Server MP11 has resolved this issue.   
Etrack: 3824986
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1789
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1789
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1789


CVE-2015-1790
This issue affects all current OpenSSL versions: 1.0.2, 1.0.1, 1.0.0 and 0.9.8.
Description: PKCS7 crash with missing EnvelopedContent.  An attacker able to make an application using OpenSSL verify, decrypt, or parse a specially crafted PKCS#7 input could cause that application to crash.
Conclusion: Symantec Encryption Management Server MP11 has resolved this issue. 
Etrack: 3824990, 3824986
Additional References:
https://access.redhat.com/security/cve/CVE-2015-1790
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1790
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1790
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1790


CVE-2015-1791
Description: Race condition handling NewSessionTicket
Conclusion: This issue does NOT affect the version of OpenSSL package as shipped with Red Hat Enterprise Linux 5.  Symantec Encryption Management Server is therefore not affected by this report.
Etrack: 3824992
Additional References:
https://access.redhat.com/security/cve/CVE-2015-1791
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1791
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1791
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1791


CVE-2015-1792
Description: CMS verify infinite loop with unknown hash function
Conclusion: This issue does NOT affect the version of OpenSSL package as shipped with Red Hat Enterprise Linux 5.  Symantec Encryption Management Server is therefore not affected by this report.
Etrack: 3824991 
Additional References:
https://access.redhat.com/security/cve/CVE-2015-1792
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-1792
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1792
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1792​
 

CVE-2015-2601
Description:
OpenJDK: non-constant time comparisons in crypto code
Conclusion: This applies to client and server deployment of Java. SEMS uses PGP SDK for cryptography, not java JCE, and is not impacted.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2601
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2601
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2601


CVE-2015-2625
Description:
OpenJDK: name for reverse DNS lookup used in certificate identity check
Conclusion: This applies to the installation process on client deployment of Java. SEMS not impacted as there is no client deployment.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2625
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2625


CVE-2015-2627
Description:
Oracle JDK: unspecified vulnerability fixed in 6u101, 7u85 and 8u51
Conclusion: This applies to client and server deployment of JSSE.  Unspecified vulnerability in Oracle Java SE 6u95, 7u80, and 8u45 allows remote attackers to affect confidentiality via unknown vectors related to installation. SEMS is not impacted as there is no installation after SEMS deployment.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2627
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2627
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2627


CVE-2015-2808
Description: The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase.  Also known as "Bar Mitzvah".
Conclusion: This is an extension of CVE-2013-2566, and is currently being reviewed by Symantec Dev.  RC4 as it exists on Symantec Encryption Management Server is not easily exploited.  An attacker must record and analyze 1 billion connections to find one weak key (one chance per billion connections) and then it starts over.
BEAST, CRIME, and POODLE, and in this case, "Bar Mitzvah", require the browser to run the attacker's JavaScript so that the attacker knows what the content is before it gets encrypted by the browser.  Symantec Encryption Management Server does not use any external content by default, so these attacks are not feasible against users connecting to the Symantec Encryption Management Server.  These attacks require an attacker to know the exact bytes and location of those bytes *before* the client sends them to the server.  Due to the Symantec Encryption Management Server architecture, there is no possibility of putting a client in a compromising position unless introduced by custom content.  Customers should take extra precaution when customizing UI or templates to ensure external JavaScript is not used.  Although audits detect these false positives for BEAST, CRIME, and POODLE, exploiting these vulnerabilities on the server is not possible by default.
Starting with Symantec Encryption Management Server 3.3.2 MP11, the RC4 cipher has been removed.
Etrack: 3362451
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-2808
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2808


CVE-2015-4000
Description:
LOGJAM: TLS connections which support export grade DHE key-exchange are vulnerable to MITM attacks
Conclusion: The TLS server services on Symantec Encryption Management Server are not vulnerable to logjam attacks on Diffie-Hellman because export ciphers are explicitly disabled.
Although exceptionally unlikely, Client services using OpenSSL or NSS may be forced into downgrading to an export cipher via a large-scale, supercomputing MITM effort when connecting to servers that allow the DH export ciphers.
Symantec Encryption Management Server 3.3.2 MP11 addresses Logjam threats through TLS. There are no services running on the server that are vulnerable to Logjam. There are other facilities installed on the server that do not run and that the system does not use, which scanners may detect as being vulnerable to Logjam. 
Symantec Encryption Management Server version 3.3.2 MP13 completely addresses the Logjam report.
Etrack: 3790840, 3824986
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-4000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000


CVE-2015-4749
Description:
OpenJDK: DnsClient fails to release request information after error
Conclusion: This applies to client and server deployment of Java.  Unauthenticated remote attackers cannot force java services to make a flurry of DNS requests, and cannot exhaust DNS transaction ids through the same.  SEMS is not vulnerable to this report.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-4749
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4749
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4749


CVE-2015-5174
Description: tomcat: URL Normalization issue
Conclusion: Symantec Encryption Management Server is flagged as vulnerable to this report due to version matching with Tomcat, however Symantec Encryption Management Server is not vulnerable to this report.
Only requests made from specific services controlled by the Symantec Encryption Management Server have access.  Symantec Encryption Management Server will automatically prevent this vulnerability.
Etrack: 3917042
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5174


CVE-2015-5345
Description: tomcat: directory disclosure
Conclusion: Symantec Encryption Management Server is flagged as vulnerable to this report due to version matching with Tomcat, however Symantec Encryption Management Server is not vulnerable to this report.
Only requests made from specific services controlled by the Symantec Encryption Management Server have access.  Symantec Encryption Management Server will automatically prevent this vulnerability.
Etrack: 3917042
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5345
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5345


CVE-2015-5346
Description: tomcat: Session fixation
Conclusion: Although the Symantec Encryption Management Server has a vulnerable package, the Symantec Encryption Management Server does not use the SSL session ID and is configured to prevent this attack and is therefore not vulnerable to this report. 
Etrack: 3917042
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5346
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5346
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5346


CVE-2015-5351
Description: tomcat: CSRF token leak
Conclusion: Symantec Encryption Management Server is flagged as vulnerable to this report due to version matching with Tomcat, however Symantec Encryption Management Server is not vulnerable to this report.
Only requests made from specific services controlled by the Symantec Encryption Management Server have access.  Symantec Encryption Management Server will automatically prevent this vulnerability.
Etrack: 3918913
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-5351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5351
 

CVE-2015-7547
Description:
A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries.
Conclusion: This issue does not affect the versions of glibc as shipped with Red Hat Enterprise Linux 3, 4 and 5.  Symantec Encryption Management Server 3.3.2 is not vulnerable to this report as the version of Linux is CentOS 5.
Etrack: 3912954
Additional References:
https://access.redhat.com/security/cve/cve-2015-7547
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7547
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7547
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7547 
 

CVE-2015-7575
Description:
TLS 1.2 Transcipt Collision attacks against MD5 in key exchange protocol
Conclusion: SEMS does not use java for TLS client authentication and is not impacted by this report.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7575
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7575
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7575


CVE-2015-8150

Description: Symantec Encryption Management Server (SEMS) 3.3.2 before MP12 allows local users to obtain root access by modifying a batch file.
Conclusion: This is documented on the Symantec Security Response Page.
Etrack: n/a
Additional References:
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20160218_00
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8150
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8150
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8150


CVE-2015-8149
Description: The LDAP service in Symantec Encryption Management Server (SEMS) 3.3.2 before MP12 allows remote attackers to cause a denial of service (heap memory corruption and service outage) via crafted requests.
Conclusion: This is documented on the Symantec Security Response Page
Etrack: n/a
Additional References:
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20160218_00
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8149
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8149
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8149


CVE-2015-8151
Description: Symantec Encryption Management Server (SEMS) 3.3.2 before MP12 allows remote authenticated users to execute arbitrary OS commands by leveraging console administrator access.
Conclusion: This is documented on the Symantec Security Response Page.
Etrack: n/a
Additional References:
https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20160218_00
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-8151
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8151
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8151


CVE-2016-0402
Description:
OpenJDK: URL deserialization inconsistencies
Conclusion: Applies to client deployment of Java only and therefore SEMS is not impacted by this report.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0402
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0402
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0402


CVE-2016-0466
Description:
OpenJDK: insufficient enforcement of totalEntitySizeLimit
Conclusion: SEMS 3.3.2 MP13 has an affected version of java, however does not process XML and is therefore not impacted by this report.  Remote attackers cannot send XML to Java so these attacks are not possible on SEMS.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0466
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0466
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0466


CVE-2016-0483
Description:
OpenJDK: insufficient enforcement of totalEntitySizeLimit
Conclusion: Unauthenticated remote attackers cannot send JPG to Java so these attacks are not possible on SEMS.  SEMS Administrators with the proper permissions who can submit JPGs for Web Email Protection customization still cannot exploit the vulnerability because those images are never processed by AWT.
Etrack: 3840267
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0483
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0483
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0483
 

CVE-2016-0703
Description: Openssl: Divide-and-conquer session key recovery in SSLv2
Conclusion: This report relies on SSLv2.  Symantec Encryption Management Server does not use SSLv2, and will not accept SSLv2 connections, and is therefore not vulnerable.
Etrack: 3918913
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0703
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0703
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0703


CVE-2016-0706
Description: Apache Tomcat Security Manager
Conclusion: Symantec Encryption Management Server is flagged as vulnerable to this report due to version matching with Tomcat, however Symantec Encryption Management Server is not vulnerable to this report.
Only requests made from specific services controlled by the Symantec Encryption Management Server have access.  Symantec Encryption Management Server will automatically prevent this vulnerability.
Etrack: 3917042
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0706
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0706


CVE-2016-0714 
Description: tomcat: Security Manager bypass via persistence mechanisms
Conclusion: Although Symantec Encryption Management Server has a package that is vulnerable, Symantec Encryption Management Server is not vulnerable to this report without installing a malicious web app on the server, which is not possible externally.   It is not possible to exploit this report in its default configuration.
Etrack: 3917042
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0714
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0714
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0714


CVE-2016-0762

Description: tomcat: timing attack in Realm implementation
Conclusion: This does not impact SEMS as SEMS does not use Realms.
Etrack: 4054765
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0762
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0762
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0762


CVE-2016-0763

Description: tomcat: security manager bypass via setGlobalContext()
Conclusion: Although Symantec Encryption Management Server has a package that is vulnerable, Symantec Encryption Management Server is not vulnerable to this report without installing a malicious web app on the server, which is not possible externally.   It is not possible to exploit this report in its default configuration.
Etrack: 3917042
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0763


CVE-2016-0777
Description: OpenSSH: Client Information leak due to use of roaming connection feature
Conclusion: Symantec Encryption Management Server uses OpenSSL V4 and does not use the Roaming feature mentioned.  As noted in the CVE report:
*The "roaming" feature of OpenSSH clients was introduced in OpenSSH-5.4. Therefore Red Hat Enterprise Linux 4, 5, and 6 are not affected by this flaw.
*Red Hat Enterprise Linux 4, 5, and 6 are not affected by this flaw because they include OpenSSH versions older than 5.4, and hence do not implement the roaming feature.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0777
https://access.redhat.com/articles/2123781


CVE-2016-0778
Description: OpenSSH: Client buffer-overflow when using roaming connections
Conclusion: Symantec Encryption Management Server uses OpenSSL V4 and does not use the Roaming feature mentioned.  As noted in the CVE report:
*The "roaming" feature of OpenSSH clients was introduced in OpenSSH-5.4. Therefore Red Hat Enterprise Linux 4, 5, and 6 are not affected by this flaw.
*Red Hat Enterprise Linux 4, 5, and 6 are not affected by this flaw because they include OpenSSH versions older than 5.4, and hence do not implement the roaming feature.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0778
https://access.redhat.com/articles/2123781


CVE-2016-0800
Description: SSL/TLS: Cross-protocol attack on TLS using SSLv2 (DROWN)
Conclusion: This report relies on SSLv2.  Symantec Encryption Management Server does not use SSLv2, and will not accept SSLv2 connections, and is therefore not vulnerable.
Etrack: 3918913
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-0800
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0800


CVE-2016-1583

Description: kernel: Stack overflow via ecryptfs and /proc/$pid/environ
Conclusion: In order to be able to exploit this report, a local user is required.  Symantec Encryption Management Server does not make available any local users, and is therefore, not affected by this report.
Etrack: 4038271
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1583
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1583
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1583


CVE-2016-2181

Description: openssl: DTLS replay protection bypass allows DoS against DTLS connection
Conclusion: Datagram Transport Layer Security (DTLS) provides SSL over UDP.  Symantec Encryption Management Server does not use any DTLS services.  Symantec Encryption Management Server only offers SSL over TCP.
Etrack: 3989781
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2181
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2181
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2181


CVE-2016-2183
Description: SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32)
Conclusion: Symantec Encryption Management Server 10.5 MP2 resolves this fully.
Update Jun 15, 2021: SEMS 10.5 MP2 was released that resolves this issue fully. 
Update Jan 30, 2019:
Although SEMS 3.4.1 already mitigates this issue, SEMS 3.4.2 MP2 and above will no longer use TLS 1.0 by default for its server-client communications.  If Encryption Clients version 10.3.x are being used, TLS 1.0 can be re-enabled for backward compatibility with the assistance of support.
Etrack: 3989781
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2183
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2183
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2183


CVE-2016-2776
Description:bind: assertion failure in buffer.c while building responses to a specifically constructed request
Conclusion: This was fixed in Symantec Encryption Management Server 3.4.1.  For more information, see the release notes.
Etrack: 4005768
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2776
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2776
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2776


CVE-2016-2834

Description: nss: Multiple security flaws (MFSA 2016-61)
Conclusion: SEMS has an affected nss package but is not impacted.  OpenSSL and PGP SDK handle the tasks where nss would be affected.
Etrack: 4054768
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2834
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2834
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2834


CVE-2016-2848

Description: bind: assertion failure triggered by a packet with malformed options
Conclusion: Symantec Encryption Management Server does not have a name server, which is necessary for this report to happen and is therefore, unaffected.
Etrack: 4038285
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-2848
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2848
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2848


CVE-2016-3503

Description: Oracle JDK: unspecified vulnerability fixed in 6u121, 7u111, and 8u101 (Install)
Conclusion: This report applies only to the client installation process in client deployments.  SEMS is a server deployment and is not impacted.
Etrack: 3976238
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3503
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3503
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3503


CVE-2016-3500
Description: OpenJDK: maximum XML name limit not applied to namespace URIs (JAXP, 8148872)
Conclusion: Maximum XML name limit not applied to namespace URIs
Etrack: 3976238
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3500
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3500
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3500


CVE-2016-3508

Description: OpenJDK: missing entity replacement limits (JAXP, 8149962)
Conclusion: SEMS is not impacted because it’s not possible for an attacker to submit an XML bomb to the java application on SEMS.
Etrack: 3976238
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3508
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3508
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3508


CVE-2016-3511

Description: Oracle JDK: unspecified vulnerability fixed in 7u111 and 8u101 (Deployment)
Conclusion: This report  applies to only client deployment.  SEMS uses a Server deployment and is not affected.
Etrack: 3976238
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3511
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3511
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3511


CVE-2016-3606

Description:  OpenJDK: insufficient bytecode verification (Hotspot, 8155981)
Conclusion: This report  applies to only client deployment.  SEMS uses a Server deployment and is not affected.
Etrack: 3976238
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-3606
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3606
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3606


CVE-2015-3642

Description: TLS and DTLS Padding Validation Vulnerability in Citrix NetScaler Application Delivery Controller and NetScaler Gateway
Conclusion: This is specific to Citrix, and not related to SEMS and is not affected.
Etrack: 3931491
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-3642
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3642
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3642


CVE-2016-5195
Description: Dirty COW privilege escalation report - race condition in copy-on-write breakage of private read-only memory mappings
Conclusion: The Symantec Encryption Management Server 3.4.1 is not affected by this.  On all versions prior to this, the copy-on-write flaw requires local access.  Symantec Encryption Management server (any version) does not provide non-administrative local access and prevents the opportunity for attacks that target the copy-on-write defect. 
Etrack: 4010837
Additional References:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5195


CVE-2016-5181 CVE-2016-5182 CVE-2016-5183 CVE-2016-5184 CVE-2016-5185, CVE-2016-5186, CVE-2016-5187, CVE-2016-5188, CVE-2016-5189, CVE-2016-5190, CVE-2016-5191, CVE-2016-5192, CVE-2016-5193, CVE-2016-5194
Description:  Multiple Chromium reports against Symantec Encryption Management Server.
Conclusion: Symantec Encryption Management Server does not use Chromium and is therefore, not affected.
Etrack: 4038268
Additional References: n/a
 

CVE-2016-5285
Description: nss: Missing NULL check in PK11_SignWithSymKey / ssl3_ComputeRecordMACConstantTime causes server crash
Conclusion: SEMS has an affected nss package but is not impacted.  OpenSSL and PGP SDK handle the tasks where nss would be affected
Etrack: 4054768
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5285
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5285
 

CVE-2016-5290, CVE-2016-5291,CVE-2016-5296, CVE-2016-5297, CVE-2016-9064, CVE-2016-9066, CVE-2016-1240
Description:  Mozilla browser
Conclusion: SSEMS 3.4.1 does not use Mozilla, so this does not apply. Furthermore, the report states Windows is the only OS affected.  SEMS uses Linux.
Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5290
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5291
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5296
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5297
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9064
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9066
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-1240


CVE-2016-5425

Description: tomcat: Local privilege escalation via systemd-tmpfiles service
Conclusion: Symantec Encryption Management Server does not use the affected Tomcat version from Redhat.
Etrack: 4054765
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5425
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5425
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5425


CVE-2016-5556, CVE-2016-5568, CVE-2016-5582, CVE-2016-5573, CVE-2016-5597, CVE-2016-5554, CVE-2016-5542

Description: Oracle JDK Security Reports
Conclusion: As per the review done by Oracle, this report does not apply to Java deployments in servers that load and run only trusted code.  Symantec Encryption Management Server does not download or run untrusted code.  As a result, Symantec Encryption Server is not affected by this report.
Etrack: 4009968
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-5556
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5556
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5556
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html#AppendixJAVA


CVE-2016-6304
Description: openssl: OCSP Status Request extension unbounded memory growth
Conclusion: This is resolved in SEMS 3.4.1
Etrack: 3989781
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6304
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6304
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6304
 

CVE-2016-6325
Description: tomcat: tomcat writable config files allow privilege escalation
Conclusion: Symantec Encryption Management Server does not use the affected Tomcat version from Redhat.
Etrack: 4054765
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6325
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6325
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6325


CVE-2016-6797, CVE-2016-5018, CVE-2016-6794, CVE-2016-6796
Description: Local-Only vulnerabilities in Tomcat
Conclusion: As per the review done by Oracle, this report does not apply to Java deployments in servers that load and run only trusted code.  Symantec Encryption Management Server does not download or run untrusted code.  As a result, Symantec Encryption Server is not affected by this report.
Etrack: 4038276
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6797
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6797
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6797
 

CVE-2016-6816
Description: tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests
Conclusion: Symantec Development and Security teams reviewed this issue and did not encounter any methods to exploit with this report and therefore SEMS is not vulnerable to this report.
Etrack: 4054765
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-6816
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6816
 

CVE-2016-7053
Description: openssl: CMS Null dereference vulnerability
Conclusion: This report does not affect OpenSSL versions prior to 1.1.0.  SEMS uses 1.0.1e and is not affected.
Etrack: 4054766
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7053
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7053


CVE-2016-7054
Description: openssl: Corrupting larger payloads when using ChaCha20/Poly1305 ciphersuites leads to DoS
Conclusion: This report does not affect OpenSSL versions prior to 1.1.0.  SEMS uses 1.0.1e and is not affected.
Etrack: 4054766
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7054
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7054
 

CVE-2016-8635
Description: nss: small-subgroups attack flaw
Conclusion: SEMS has an affected nss package but is not impacted.  OpenSSL and PGP SDK handle the tasks where nss would be affected
Etrack: 4054768
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8635
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8635
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8635

CVE-2016-8735
Description: tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener
Conclusion: SEMS does not provide access to the JMX ports to the outside and are all blocked by the firewall
Etrack: 4054765
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8735
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8735
 

CVE-2016-8864
Description: bind: assertion failure while handling responses containing a DNAME answer
Conclusion: Symantec Encryption Management Server does not have a name server, which is necessary for this report to happen and is therefore, unaffected.
Etrack: 4054767
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8864
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8864
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-8864


CVE-2016-7855
Description: flash-plugin: use-after-free issue fixed in APSB16-36
Conclusion: Symantec Encryption Management Server does not use the vulnerable software, and is not affected by this report.
Etrack:4038281
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7855
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7855
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7855
 

CVE-2017-3253, CVE-2016-5546, CVE-2016-5547, CVE-2016-5548, CVE-2016-5549, CVE-2016-5552, CVE-2016-8328, CVE-2017-3231, CVE-2017-3241, CVE-2017-3252, CVE-2017-3253, CVE-2017-3259, CVE-2017-3260, CVE-2017-3261, CVE-2017-3262, CVE-2017-3272, CVE-2017-3289
Description: Multiple Oracke JDK reports
Conclusion: SEMS has an affected java package but does not use the affected library and is not impacted.
Etrack:4059623, 4058855
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-3253
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3253
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-3253


CVE-2017-8046

Description: spring-boot: Malicious PATCH requests submitted to servers can use specially crafted JSON data to run arbitrary Java code
Conclusion: Symantec Encryption Management Server is not affected by this report because it does not contain the affected software mentioned
Etrack: 4182002
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-8046
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8046
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8046


CVE-2017-15361
Description: The Infineon RSA library 1.02.013 in Infineon Trusted Platform Module (TPM) firmware, such as versions before 0000000000000422 - 4.34, before 000000000000062b - 6.43, and before 0000000000008521 - 133.33, mishandles RSA key generation.  aka, ROCA
Conclusion: This report refers to Infineon’s hardware product and its broken implementation of the OpenPGP standard.  The advisory is related to a faulty implementation that allows recovery of private keys using the public key.  This report is completely separate from the OpenPGP technology used by Symantec’s PGP implementation.  Symantec’s Encryption product’s keys are generated properly and safely and do not suffer from the issues revealed by the researchers.
If a key was generated by Infineon’s system and was subsequently imported into a Symantec Encryption product, the key should be revoked and a new key should be generated by a Symantec Encryption product.
Etrack: 4136330
Additional References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15361
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-15361


CVE-2019-9702
Description: Symantec Endpoint Encryption Privilege Escalation
Conclusion: Symantec Endpoint Encryption 11.3 includes a fix for this issue.  For Symantec Encryption Desktop, see the below Symantec articles for mitigation and recommendations on this report.
Etrack: n/a
Additional References:
https://knowledge.broadcom.com/external/article/153530
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9702
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9702


CVE-2019-11091, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130
Description: ZombieLoad: hardware: Microarchitectural Fill Buffer Data Sampling (MFBDS).  This report is related to the hardware flaw found in some CPUs.
Conclusion: Local user access is required to exploit this flaw.  SEMS does not offer local user access and as a result is not vulnerable to local user attacks.  As these flaws are in the hardware, the solution is a combination of operating system and CPU firmware updates.  Virtual machines may potentially be impacted as local users in a separate virtual machine can attempt attacks against other virtual machines sharing the same physical CPU affected by these hardware flaws.  Firmware updates cannot be applied to the CPU from virtual machines so Symantec recommends working with your virtual solutions vendor to ensure proper mitigation steps have been taken to secure and update the firmware on machines hosting virtual servers.  SEMS running on hardware is not impacted by these flaws.
Etrack: 4240240
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-12130  
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130


CVE-2020-0543, CVE-2020-0548, CVE-2020-0549

Description: CVE-2020-0543 hw: Special Register Buffer Data Sampling (SRBDS), CVE-2020-0548 hw: Vector Register Data Sampling, CVE-2020-0549 hw: L1D Cache Eviction Sampling
Conclusion: In order to make use of this report, local user access is required to exploit this flaw.  SEMS does not allow local access login by default.  SEMS installed on physical hardware is not at risk as there is no local access configured. Virtual machines may potentially be impacted as local users in a separate virtual machine can attempt attacks against other virtual machines sharing the same physical CPU affected by these hardware flaws.  Firmware updates cannot be applied to the CPU from virtual machines so Symantec recommends working with your virtual solutions vendor to ensure proper mitigation steps have been taken to secure and update the firmware on machines hosting virtual servers. SEMS running on hardware is not impacted by these flaws.
Etrack: 4240240, 4269072
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-12130   
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12130


CVE-2020-9484
Description: Apache Tomcat: Important: Remote Code Execution via session
persistence
Conclusion:  Remote execution can only be achieved if a series of 4 requirements are met.  Failing to meet even a single requirement is enough to prevent remote code execution.  
SEMS avoids all four requirements and is not impacted by this report.  
Etrack: 4269072
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-9484
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-9484
https://access.redhat.com/security/cve/cve-2020-9484


CVE-2020-11996
Description: Apache Tomcat: Important: HTTP/2 DoS CVE-2020-11996
Conclusion: SEMS does not support HTTP/2 requests and is therefore not affected by this report.
Etrack: 4269072
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-11996
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11996
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11996
https://access.redhat.com/security/cve/cve-2020-11996


CVE-2020-14556

Description: OpenJDK: Incorrect handling of access control context in ForkJoinPool (Libraries, 8237117)
Conclusion: SEMS does not use ForkJoinPool and is therefore not impacted by this report.
The current version of SEMS 10.5 does uses OpenJDK and does not apply to this report.
Symantec Etrack: 4269119
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14556
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14556
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14556


CVE-2020-14577
Description: OpenJDK: HostnameChecker does not ensure X.509 certificate names are in normalized form (JSSE, 8237592)
Conclusion: SEMS does not run the HostnameChecker code and therefore is not vulnerable to this flaw.  
SEMS uses its own proprietary PGP SDK code when proper verification is needed.
The current version of SEMS 10.5 does uses OpenJDK and does not apply to this report.
Symantec Etrack: 4269119
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14577
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14577
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14577


CVE-2020-14578
CVE-2020-14579
Description: OpenJDK: Unexpected exception raised by DerInputStream (Libraries, 8237731)
Conclusion: SEMS uses its own internal PGP SDK code to handle these operations and is therefore not impacted by these reports.
The current version of SEMS 10.5 does uses OpenJDK and does not apply to these reports.
Symantec Etrack: 4269119
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14578
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14578


CVE-2020-14581
Description: OpenJDK: Information disclosure in color management (2D, 8238002)
Conclusion: SEMS uses the code to read an image's dimensions but does not use this same code to access image color management information where this flaw is reported and is therefore not impacted by this flaw.
The current version of SEMS 10.5 does uses OpenJDK and does not apply to this report.
Symantec Etrack: 4269119
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14581
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14581
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14581


CVE-2020-14583
CVE-2020-14593
Description: OpenJDK: Bypass of boundary checks in nio.Buffer via concurrent access (Libraries, 8238920)
Conclusion: These reports are specific to clients only and are not applicable to SEMS.   
The current version of SEMS 10.5 does uses OpenJDK and does not apply to this report.
Symantec Etrack: 4269119
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14583
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14583
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14583


CVE-2020-14621
Description: OpenJDK: XML validation manipulation due to incomplete application of the use-grammar-pool-only feature (JAXP, 8242136)
Conclusion: SEMS contains the affected package, however, Symantec Security teams have tested and this is not impacted by this report.
The current version of SEMS 10.5 does uses OpenJDK and does not apply to this report.
Symantec Etrack: 4269119
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14621
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14621
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14621


CVE-2020-0427

Description: A flaw was found in the Linux pinctrl system. It is possible to trigger an of bounds read due to a use after free. This could lead to local information disclosure with no additional execution privileges needed
Conclusion: This requires an attack from a local authenticated user. Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable.  External users do not have access to this part of the OS.
Broadcom JIRA: EPG-22979
Additional References:
https://nvd.nist.gov/vuln/detail/CVE-2020-0427
https://access.redhat.com/security/cve/CVE-2020-0427
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-0427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0427


CVE-2020-10029

Description: glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions
Conclusion: The Symantec Encryption Management Server OS does not make use of the affected glibc functions mentioned, therefore, this is not applicable.
Broadcom JIRA: EPG-22979
Additional References:
https://access.redhat.com/security/cve/CVE-2020-10029
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10029
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10029


CVE-2020-25705

Description: A flaw in the way reply ICMP packets are limited in the Linux kernel functionality was found that allows to quickly scan open UDP ports. 
Conclusion: This is fixed in SEMS 10.5 MP2.  If upgrading is not immediately possible, Redhat recommends running the following command to mitigate this risk:

Via SSH access, run the following command to mitigate this risk:

firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p icmp --icmp-type destination-unreachable -j DROP

When run successfully, the result of "success" will be displayed.

If you need help running this command, please contact support.

Broadcom JIRA: EPG-22979
Additional References:
https://access.redhat.com/security/cve/CVE-2020-25705
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25705
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25705
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25705


CVE-2020-15436

Description: A use-after-free flaw was observed in blkdev_get(), in fs/block_dev.c after a call to __blkdev_get() fails, and its refcount gets freed/released. 
Conclusion: This requires an attack from a local authenticated user. Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable.  External users do not have access to this part of the OS.
Broadcom JIRA: EPG-22979
Additional References:
https://access.redhat.com/security/cve/CVE-2020-15436
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-15436
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15436


CVE-2020-8625

Description: A buffer overflow flaw was found in the SPNEGO implementation used by BIND. 
Conclusion: Symantec Encryption Management Server does not run a BIND server (named)therefore, this is not applicable.
Broadcom JIRA: EPG-22979
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8625
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8625


CVE-2021-3156

Description: Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via
 "sudoedit -s" and a command-line argument that ends with a single backslash character.
Conclusion: SEMS is not vulnerable to this report as the backend filesystem is protected and is a locked box.  Not even the root account is configured and as such there is no access the linux filesystem to be able to run sudo.  Although SEMS was not vulnerable to this report, our backend packages were updated which have fixes in SEMS 10.5 MP2.
As a result, SEMS is not affected by this report.
Broadcom JIRA: EPG-22602, EPG-22656
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-3156 
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3156


CVE-2021-26937

Description: screen: crash when processing combining chars
Conclusion: This requires an attack from a local authenticated user. Symantec Encryption Management Server does not enable local users by default, and any user configured on the server is done for the administrator via SSH, therefore, this is not applicable.  External users do not have access to this part of the OS.
Broadcom JIRA: EPG-22979
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-26937
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26937
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-26937
https://access.redhat.com/security/cve/cve-2021-26937


CVE-2021-27219

Description: An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.
Conclusion: SEMS has an affected glib2 package, however SEMS has no code that would be affected by this report and is therefore not affected.
Symantec Etrack: EPG-23879
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27219
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27219
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27219


CVE-2021-3156
Description: Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via
 "sudoedit -s" and a command-line argument that ends with a single backslash character.
Conclusion: SEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured. Although SEMS is not vulnerable to this report, a fix is included in 10.5 MP2.
Symantec Etrack: EPG-22602
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-3156
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3156


CVE-2020-15862

Description: net-snmp: Improper Privilege Management in EXTEND MIB may lead to privileged commands execution
Conclusion: This is fixed in SEMS 10.5 MP1 and above.
Symantec Etrack: EPG-23879, EPG-22447
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-15862
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15862
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15862


CVE-2020-10029

Description: glibc: stack corruption from crafted input in cosl, sinl, sincosl, and tanl functions
Conclusion: This is fixed in SEMS 10.5 MP2
Symantec Etrack: EPG-22979
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10029
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10029
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10029


CVE-2021-3156
Description: sudo: Heap buffer overflow in argument parsing
Conclusion: This is fixed in SEMS 10.5 MP2
Symantec Etrack: EPG-22656
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-3156
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3156
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3156


CVE-2021-27803
Description: wpa_supplicant: Use-after-free in P2P provision discovery processing
Conclusion: This applies to wifi only.  SEMS does not use WIFI so this report does not apply.
A fix is included in SEMS 10.5 MP2 to address this false positive.
Symantec Etrack: n/a
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-27803
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27803
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27803


CVE-2020-25211
Description: kernel: Local buffer overflow in ctnetlink_parse_tuple_filter in net/netfilter/nf_conntrack_netlink.c
Conclusion: SEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured.  Although SEMS is not vulnerable to this report, a fix is included in 10.5 MP2.
Symantec Etrack: EPG-22990
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25211
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25211
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25211


CVE-2020-28374

Description:  kernel: SCSI target (LIO) write to any block on ILO backstore
Conclusion: SEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured.  Although SEMS is not vulnerable to this report, a fix is included in 10.5 MP2.
Symantec Etrack: EPG-22990
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-28374
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28374
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-28374


CVE-2020-29661
Description: kernel: locking issue in drivers/tty/tty_jobctrl.c can lead to an use-after-free
Conclusion: SEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured.  Although SEMS is not vulnerable to this report, a fix is included in 10.5 MP2.
Symantec Etrack: EPG-22979
Additional References:
https://access.redhat.com/security/cve/cve-2020-29661
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-29661
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29661
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-29661


CVE-2019-19532
Description: kernel: malicious USB devices can lead to multiple out-of-bounds write
Conclusion: SEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured.  Although SEMS is not vulnerable to this report, a fix is included in 10.5 MP2.
Symantec Etrack: EPG-22990
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19532
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19532
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-19532


CVE-2020-0427

Description: kernel: out-of-bounds reads in pinctrl subsystem.
Conclusion: SEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured.  Although SEMS is not vulnerable to this report, a fix is included in 10.5 MP2.
Symantec Etrack: EPG-22990
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-0427
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0427
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-0427


CVE-2020-7053

Description: kernel: use-after-free in i915_ppgtt_close in drivers/gpu/drm/i915/i915_gem_gtt.c
Conclusion: SEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured.  Although SEMS is not vulnerable to this report, a fix is included in 10.5 MP2.
Symantec Etrack: EPG-22990, EPG-22974
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-7053
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7053
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7053


CVE-2020-14351
Description: kernel: performance counters race condition use-after-free
Conclusion: TSEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured.  Although SEMS is not vulnerable to this report, a fix is included in 10.5 MP2.
Symantec Etrack: EPG-22990
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14351
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14351
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-14351


CVE-2020-25645
Description: kernel: Geneve/IPsec traffic may be unencrypted between two Geneve endpoints
Conclusion: A fix is included in SEMS 10.5 MP2.
Symantec Etrack: EPG-22990
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25645
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25645
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25645


CVE-2020-25656
Description: kernel: use-after-free in read in vt_do_kdgkb_ioctl
Conclusion: TSEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured.  Although SEMS is not vulnerable to this report, a fix is included in 10.5 MP2.
Symantec Etrack: EPG-22990
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25656
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25656
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-25656


CVE-2021-20265
Description: kernel: increase slab leak leads to DoS
Conclusion: SEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured.  Although SEMS is not vulnerable to this report, a fix is included in 10.5 MP2.
Symantec Etrack: EPG-22990
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-20265
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20265
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-20265


CVE-2021-3347

Description: kernel: Use after free via PI futex state
Conclusion: SEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured. 
Symantec Etrack: EPG-23879
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-3347
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3347
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3347


CVE-2020-8648

Description: kernel: use-after-free in n_tty_receive_buf_common function in drivers/tty/n_tty.c
Conclusion: SEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured.  
Symantec Etrack: EPG-23879
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-8648
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8648
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8648


CVE-2020-10543
Description: perl: heap-based buffer overflow in regular expression compiler leads to DoS
Conclusion: These issues are addressed in SEMS 10.5 MP2 and is not vulnerable to this report.
Symantec Etrack: EPG-23879
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10543
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10543
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10543


CVE-2020-10878

Description: perl: corruption of intermediate language state of compiled regular expression due to integer overflow leads to DoS
Conclusion: These issues were addressed in SEMS 10.5 MP2.  SEMS is not affected by this report.
Symantec Etrack: EPG-23879, EPG-22979
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10878
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10878
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-10878


CVE-2020-12362

Description: kernel: Integer overflow in Intel(R) Graphics Drivers
Conclusion: SEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured. Additionally, Red Hat states that "Only users that specify i915.enable_guc=-1 or i915.enable_guc=1 or 2 are open to be exploited by this issue.", and SEMS does not use the required settings for this report.
Symantec Etrack: EPG-23879
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-12362
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12362
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12362


CVE-2020-12363

Description: kernel: Improper input validation in some Intel(R) Graphics Drivers
Conclusion: SEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured.  
Symantec Etrack: EPG-23879
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-12363
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12363
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12363


CVE-2020-12364

Description: kernel: Null pointer dereference in some Intel(R) Graphics Drivers
Conclusion: SEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured.
Symantec Etrack: EPG-23879
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-12364
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12364
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12364

CVE-2020-12723
Description: perl: corruption of intermediate language state of compiled regular expression due to recursive S_study_chunk() calls leads to DoS
Conclusion: These issues were addressed in SEMS 10.5 MP2.  SEMS is not affected by this report.
Symantec Etrack: EPG-23879
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-12723
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12723
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-12723


CVE-2020-15778
Description: openssh: scp allows command injection when using backtick characters in the destination argument
Conclusion: Developers for OpenSSH and Red Hat will not fix this issue to avoid breaking compatibility with all previously deployed installations.
SEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured.
Symantec Etrack: EPG-23879
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-15778
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15778
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15778


CVE-2020-27170

Description: kernel: Speculation on pointer arithmetic against bpf_context pointer
Conclusion: SEMS does not have local, nonadministrative users configured--even local root access is disabled.  This removes the traditional method for local attacks because there are no local, non-administrative users configured. 
Symantec Etrack: EPG-23879
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-27170
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27170
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-27170

CVE-2021-25217
Description: Description: dhcp: stack-based buffer overflow when parsing statements with colon-separated hex digits in config or lease files in dhcpd and dhclient
Conclusion: SEMS should not be impacted as it does not use the affected packages for any networking services.
Symantec Etrack: EPG-23879
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-25217
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25217
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-25217

CVE-2019-25013
Description: glibc: buffer over-read in iconv when processing invalid multi-byte input sequences in the EUC-KR encoding
Conclusion: This is fixed in SEMS 10.5 MP2
Symantec Etrack: EPG-22979
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-25013
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-25013
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-25013

CVE-2021-41773
Description: A path transversal flaw was found in Apache 2.4.49. A remote attacker could use this flaw to map URLs to files outside the expected document root. Additionally this flaw could leak the source of interpreted files like CGI scripts.
Conclusion: As per Redhat, SEMS version 10.5 is not affected by this report.
Symantec Etrack: EPG-24987
Additional References:
https://access.redhat.com/security/cve/CVE-2021-41773


CVE-2021-42013

Description: A path transversal and remote code execution flaw was found in Apache HTTP Server 2.4.49 and 2.4.50. A remote attacker could use this flaw to map URLs to files outside the expected document root.
Conclusion: SEMS 10.5 does not use the affected packages mentioned and is therefore, not affected by this report.
Symantec Etrack: EPG-24987
Additional References:
https://access.redhat.com/security/cve/CVE-2021-42013
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42013
https://nvd.nist.gov/vuln/detail/CVE-2021-42013

CVE-2021-4104
Description: log4j: Remote code execution in Log4j 1.x when application is configured to use JMSAppender
Conclusion: Neither Symantec Endpoint Encryption (SEE) nor Symantec Encryption Management Server (PGP) are impacted by this report as they do not use the package mentioned in the report.
Symantec Etrack: EPG-25614
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-4104
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4104
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4104


CVE-2021-44228
Description: log4j-core: Remote code execution in Log4j
Conclusion: Neither Symantec Endpoint Encryption (SEE) nor Symantec Encryption Management Server (PGP) are impacted by this report as they do not use the package mentioned in the report.
More details on this report can be viewed on our Security Advisory page.
Symantec Etrack: EPG-25612
Additional References:
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793
https://www.broadcom.com/log4j
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-44228
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44228

CVE-2021-45046
Description: log4j-core: DoS in log4j 2.x with thread context message pattern and context lookup pattern 
Conclusion: Neither Symantec Endpoint Encryption (SEE) nor Symantec Encryption Management Server (PGP) are impacted by this report as they do not use the package mentioned in the report.
More details on this report can be viewed on our Security Advisory page.
Symantec Etrack: EPG-25623
Additional References:
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793
https://www.broadcom.com/log4j
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-45046
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45046
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45046

CVE-2021-45105
Description: Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3) did not protect from uncontrolled recursion from self-referential lookups.
Conclusion: Neither Symantec Endpoint Encryption (SEE) nor Symantec Encryption Management Server (PGP) are impacted by this report as they do not use the package mentioned in the report.
More details on this report can be viewed on our Security Advisory page.
Symantec Etrack: EPG-25669
Additional References:
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/security-advisories/Symantec-Security-Advisory-for-Log4j-2-CVE-2021-44228-Vulnerability/SYMSA19793
https://www.broadcom.com/log4j
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-45105
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45105
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-45105


CVE-2021-42340

Description: tomcat: OutOfMemoryError caused by HTTP upgrade connection leak
Conclusion: Symantec Encryption Management Server was not affected by this report, however, an update has been included in SEMS 10.5 MP3.
Symantec Etrack: EPG-25397
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-42340
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42340
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-42340


CVE-2021-43527
CESA-2021:4904

Description: NSS (Network Security Services) versions prior to 3.73 or 3.68.1 ESR /nss: Memory corruption in decodeECorDsaSignature with DSA signatures (and RSA-PSS)
Conclusion: Although SEMS has an affected NSS package, it is not used and is therefore not affected by this report.  Although unaffected, starting with SEMS 10.5 MP3HF1 and above, an updated NSS package is included.
Symantec Etrack: EPG-25949
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-43527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43527
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43527

CVE-2021-44142
Description: An out-of-bounds heap read write vulnerability was found in Samba. Due to a boundary error when processing EA metadata while opening files in smbd within the VFS Samba module (vfs_fruit), a remote attacker with ability to write to file's extended attributes can trigger an out-of-bounds write and execute arbitrary code with root privileges.
Conclusion:  SEMS does not have the affected packages and is not impacted by this report.
Symantec Etrack: EPG-26264
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2021-44142
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44142
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-44142

CVE-2022-0847
Description: kernel: improper initialization of the "flags" member of the new pipe_buffer
Conclusion: Symantec Encryption Management Server does not use the kernel mentioned in this report and is therefore not affected.
Symantec Etrack: EPG-26399
Additional References: 
https://access.redhat.com/security/cve/CVE-2022-0847
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-0847
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0847


CVE-2022-23812

Description: This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji. 
Conclusion: Symantec Encryption Products do not use the "node" package mentioned in this report and are therefore not affected.
Symantec Etrack: n/a
Additional References:
https://anvilogic.com/threat-report-tags/cve-2022-23812/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23812
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23812

CVE-2022-22963
Description: spring-cloud-function: Remote code execution by malicious Spring Expression
Conclusion: Symantec Endpoint Encryption (SEE) does not use Spring and is not affected by this report.
Symantec Etrack: EPG-26629
Additional References:
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20427


CVE-2022-22965
Description: A flaw was found in Spring Framework, specifically within two modules called Spring MVC and Spring WebFlux, (transitively affected from Spring Beans), using parameter data binding.
Conclusion: Symantec Encryption Management Server (PGP Server) does use the affected libraries, but is not affected by this report.
Symantec Etrack: EPG-26622
Additional References:
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20427  
https://access.redhat.com/security/cve/CVE-2022-22965 


CVE-2022-3786
Description: OpenSSL: X.509 Email Address Variable Length Buffer Overflow
Conclusion: Symantec Encryption Management Server (PGP Server) does not use the vulnerable OpenSSL version mentioned in this report and is not affected.
Symantec Etrack: EPG-28520
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-3786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3786
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3786


CVE-2022-3602
Description: OpenSSL: X.509 Email Address Buffer Overflow
Conclusion: Symantec Encryption Management Server (PGP Server) does not use the vulnerable OpenSSL version mentioned in this report and is not affected.
Symantec Etrack: EPG-28520
Additional References:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-3602
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3602
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-3602

CVE-2022-42889
Description: apache-commons-text: variable interpolation RCE
Conclusion: Symantec Encryption products are not affected by this report as it does not use the affected package.  Click here for details.
Symantec Etrack
Additional References:
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/20986
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2022-42889
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-42889


CVE-2023-25136
Description: A flaw was found in the OpenSSH server (sshd), which introduced a double-free vulnerability during options.kex_algorithms handling.
Conclusion: Symantec Encryption Management Server (PGP Server) does not use the version of openssh mentioned in the report and is therefore not affected by this report.
Symantec Etrack: EPG-29680
Additional References:


CVE-2024-3596

Description: RADIUS with PGP Encryption Server via forgery attacks if External Authentication is used with RADIUS protocol with Web Email Protection (WEP).
Conclusion: If the PGP Encryption Server uses RADIUS with External Authentication for WEP, it is necessary that network compromise has *also* taken place to be affected by this report.   External Authentication is disabled by default and is not necessary for secure email delivery. If you have External Authentication enabled with RADIUS, reach out to Symantec Encryption Support for further guidance.  Disabling RADIUS for WEP is recommended; instead, use either WEP in a default configuration, WEP with Two-Factor Authentication (uses Email, Twilio, or Clickatell), or use WEP with Open ID (OID), such as Siteminder for SSO functionality.
Symantec Etrack:n/a
Additional References:
https://www.cve.org/CVERecord?id=CVE-2024-3596
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/24606


CVE 2024-6385, CVE-2024-36138

Description: An issue was discovered in GitLab CE/EE affecting all versions starting from 15.8 prior to 16.11.6
Conclusion: Symantec Endpoint Encryption (SEE) does not use any of the affected packages (Gitlab or NodeJS) and is not affected by this report.
Symantec Etrack: EPG-35942
Additional References:
https://nvd.nist.gov/vuln/detail/CVE-2024-6385

CVE-2024-6387
Description: A security regression (CVE-2006-5051) was discovered in OpenSSH's server (sshd). There is a race condition which can lead sshd to handle some signals in an unsafe manner. An unauthenticated, remote attacker may be able to trigger it by failing to authenticate within a set time period.
Conclusion: Although PGP uses sshd, it does not use the version outlined in the report and is not vulnerable.  SEE does not use sshd and is not vulnerable.
Symantec Etrack: EPG-35998, EPG-35926
Additional References: https://nvd.nist.gov/vuln/detail/CVE-2024-6387
https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/Symantec-Security-Advisory-for-CVE-2024-6387/24608

 

NOTE: In cases where a vulnerability may have been exploited, and is not included in this list, contact Symantec Enterprise Division support for review.

 

Applies To

 

This article takes into account Symantec Encryption Management Server 3.3.0 MP1 and above.  When considering CVEs, it is recommended to be at the latest version of the Encryption Management Server to be covered by any recent security fixes.