Security Vulnerabilities Identified in Symantec VIP Enterprise Gateway 9.11.0 — Directory Listing, OpenSSL, and Libcurl Cookie Injection
search cancel

Security Vulnerabilities Identified in Symantec VIP Enterprise Gateway 9.11.0 — Directory Listing, OpenSSL, and Libcurl Cookie Injection

book

Article ID: 418198

calendar_today

Updated On:

Products

VIP Service

Issue/Introduction

A customer’s penetration testing team identified three potential vulnerabilities in the Symantec VIP Enterprise Gateway (EG) console running version 9.11.0:

  1. Directory Listing Exposure

  2. Older Version of OpenSSL

  3. Cookie Injection via Libcurl

The customer requested guidance on mitigation steps and overall security posture improvement.

Environment

Product: Symantec VIP Enterprise Gateway

Version: 9.11.0

Cause

These issues were identified as known security vulnerabilities in the 9.11.0 version of VIP EG. Updates and fixes have been implemented in later releases.

Resolution

1. Directory Listing Vulnerability

  • Description: Directory listing was unintentionally exposed in the VIP EG 9.11.0 console.

  • Status: This issue has been fixed in the GA release 9.11.1.

  • Action: Upgrade your VIP Enterprise Gateway to version 9.11.1 or later to eliminate this vulnerability.

2. OpenSSL Version Upgrade

  • Description: VIP EG 9.11.0 included OpenSSL 3.0.8, which contained known vulnerabilities.

  • Status:

    • OpenSSL has been upgraded to 3.4.0 in EG 9.11.1.

    • For the upcoming EG 9.11.2 release, OpenSSL will be upgraded further to 3.6.0 (latest stable version).

  • Action: Upgrade to EG 9.11.1 or later to benefit from improved cryptographic library security.

3. Libcurl Cookie Injection Vulnerability

  • Description: A low-severity issue was identified in the Libcurl library used in EG 9.11.0.

  • Status:

    • While the recommended version is 8.4.0 or later, VIP EG has already upgraded Libcurl to 8.10.1 in the 9.11.1 release.

  • Action: Upgrade to EG 9.11.1 to include this updated component and mitigate cookie injection risks.

 

Recommendation:

To address all three identified vulnerabilities, upgrade your Symantec VIP Enterprise Gateway to version 9.11.1 or later.
This release includes updated libraries and security enhancements that mitigate the issues reported in version 9.11.0.

Additional Information

  • If you have received a penetration test report or need to validate the fixes in your environment, please share the report securely via email with Broadcom Support for verification.

  • Regularly upgrading to the latest GA release is recommended to ensure continued compliance with security best practices.

 

Powered by Wolken Software