Details of VAR-201505-0109

ID

VAR-201505-0109

CVE

CVE-2015-2853

TITLE

Blue Coat SSL Visibility Appliance contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#498348

DESCRIPTION

Session fixation vulnerability in the WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 allows remote attackers to hijack web sessions by providing a session ID. Supplementary information : CWE Vulnerability type by CWE-384: Session Fixation ( Session fixation ) Has been identified. http://cwe.mitre.org/data/definitions/384.htmlSession by a third party ID Provided Web Sessions may be hijacked. It is the core of encrypted traffic management, providing visibility into SSL traffic and supporting the addition of SSL checking to advanced threat protection solutions. The solution and the existing network security architecture. Successfully exploiting these vulnerabilities will allow attackers to perform certain unauthorized actions, hijack an arbitrary session, gain access to the sensitive information or compromise the affected application. Other attacks are also possible

Trust: 3.24

sources: NVD: CVE-2015-2853 // CERT/CC: VU#498348 // JVNDB: JVNDB-2015-002883 // CNVD: CNVD-2015-03624 // BID: 74921 // VULHUB: VHN-80814

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-03624

AFFECTED PRODUCTS

vendor:	blue coat	model:	ssl visibility appliance sv800	scope:	lte	version:	3.8.3	Trust: 1.0
vendor:	blue coat	model:	ssl visibility appliance sv3800	scope:	lte	version:	3.8.3	Trust: 1.0
vendor:	blue coat	model:	ssl visibility appliance sv2800	scope:	lte	version:	3.8.3	Trust: 1.0
vendor:	blue coat	model:	ssl visibility appliance sv1800	scope:	lte	version:	3.8.3	Trust: 1.0
vendor:	blue coat	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv1800	scope:	eq	version:	3.6.x from 3.8.4	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv800	scope:	lt	version:	3.8.x	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv1800	scope:	lt	version:	3.8.x	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv2800	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv3800	scope:	eq	version:	3.6.x from 3.8.4	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv800	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv3800	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv2800	scope:	eq	version:	3.6.x from 3.8.4	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv3800	scope:	lt	version:	3.8.x	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv800	scope:	eq	version:	3.6.x from 3.8.4	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv1800	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv2800	scope:	lt	version:	3.8.x	Trust: 0.8
vendor:	blue	model:	coat ssl visibility appliance sv800	scope:	-	version:	-	Trust: 0.6
vendor:	blue	model:	coat ssl visibility appliance sv3800	scope:	eq	version:	(3.6.x-3.8.x)<3.8.4	Trust: 0.6
vendor:	blue	model:	coat ssl visibility appliance sv2800	scope:	-	version:	-	Trust: 0.6
vendor:	blue	model:	coat ssl visibility appliance sv1800	scope:	-	version:	-	Trust: 0.6
vendor:	blue coat	model:	ssl visibility appliance sv3800	scope:	eq	version:	3.8.3	Trust: 0.6
vendor:	blue coat	model:	ssl visibility appliance sv2800	scope:	eq	version:	3.8.3	Trust: 0.6
vendor:	blue coat	model:	ssl visibility appliance sv1800	scope:	eq	version:	3.8.3	Trust: 0.6
vendor:	blue coat	model:	ssl visibility appliance sv800	scope:	eq	version:	3.8.3	Trust: 0.6
vendor:	bluecoat	model:	sv800	scope:	eq	version:	3.8.3	Trust: 0.3
vendor:	bluecoat	model:	sv800	scope:	eq	version:	3.6	Trust: 0.3
vendor:	bluecoat	model:	sv3800	scope:	eq	version:	3.8.3	Trust: 0.3
vendor:	bluecoat	model:	sv3800	scope:	eq	version:	3.6	Trust: 0.3
vendor:	bluecoat	model:	sv2800	scope:	eq	version:	3.8.3	Trust: 0.3
vendor:	bluecoat	model:	sv2800	scope:	eq	version:	3.6	Trust: 0.3
vendor:	bluecoat	model:	sv1800	scope:	eq	version:	3.8.3	Trust: 0.3
vendor:	bluecoat	model:	sv1800	scope:	eq	version:	3.6	Trust: 0.3
vendor:	bluecoat	model:	sv800	scope:	ne	version:	3.8.4	Trust: 0.3
vendor:	bluecoat	model:	sv3800	scope:	ne	version:	3.8.4	Trust: 0.3
vendor:	bluecoat	model:	sv2800	scope:	ne	version:	3.8.4	Trust: 0.3
vendor:	bluecoat	model:	sv1800	scope:	ne	version:	3.8.4	Trust: 0.3

sources: CERT/CC: VU#498348 // CNVD: CNVD-2015-03624 // BID: 74921 // JVNDB: JVNDB-2015-002883 // CNNVD: CNNVD-201505-604 // NVD: CVE-2015-2853

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-2853
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-2853
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-03624
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201505-604
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-80814
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-2853
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-03624
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-80814
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2015-03624 // VULHUB: VHN-80814 // JVNDB: JVNDB-2015-002883 // CNNVD: CNNVD-201505-604 // NVD: CVE-2015-2853

PROBLEMTYPE DATA

problemtype:	NVD-CWE-Other	Trust: 1.0
problemtype:	CWE-Other	Trust: 0.8

sources: JVNDB: JVNDB-2015-002883 // NVD: CVE-2015-2853

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201505-604

TYPE

Unknown

Trust: 0.3

sources: BID: 74921

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-002883

PATCH

title:	SA96	url:	https://bto.bluecoat.com/security-advisory/sa96	Trust: 0.8
title:	Patches for several Blue Coat Systems SSL Visibility Appliance product session fixation vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/59396	Trust: 0.6

sources: CNVD: CNVD-2015-03624 // JVNDB: JVNDB-2015-002883

EXTERNAL IDS

db:	CERT/CC	id:	VU#498348	Trust: 4.2
db:	NVD	id:	CVE-2015-2853	Trust: 3.4
db:	BID	id:	74921	Trust: 2.0
db:	JVN	id:	JVNVU97084421	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-002883	Trust: 0.8
db:	CNNVD	id:	CNNVD-201505-604	Trust: 0.7
db:	CNVD	id:	CNVD-2015-03624	Trust: 0.6
db:	VULHUB	id:	VHN-80814	Trust: 0.1

sources: CERT/CC: VU#498348 // CNVD: CNVD-2015-03624 // VULHUB: VHN-80814 // BID: 74921 // JVNDB: JVNDB-2015-002883 // CNNVD: CNNVD-201505-604 // NVD: CVE-2015-2853

REFERENCES

url:	http://www.kb.cert.org/vuls/id/498348	Trust: 3.4
url:	https://bto.bluecoat.com/security-advisory/sa96	Trust: 2.5
url:	http://www.securityfocus.com/bid/74921	Trust: 1.7
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2853	Trust: 1.4
url:	https://bto.bluecoat.com/news/ssl-visibility-v3.8.4-released	Trust: 0.8
url:	https://fishnetsecurity.com/6labs/blog/vulnerabilities-bluecoat-ssl-visibility-appliances	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/352.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/384.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/20.html	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2853	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu97084421/index.html	Trust: 0.8
url:	https://www.bluecoat.com/products/ssl-visibility-appliance	Trust: 0.3

sources: CERT/CC: VU#498348 // CNVD: CNVD-2015-03624 // VULHUB: VHN-80814 // BID: 74921 // JVNDB: JVNDB-2015-002883 // CNNVD: CNNVD-201505-604 // NVD: CVE-2015-2853

CREDITS

Tim MalcomVetter of FishNet Security

Trust: 0.3

sources: BID: 74921

SOURCES

db:	CERT/CC	id:	VU#498348
db:	CNVD	id:	CNVD-2015-03624
db:	VULHUB	id:	VHN-80814
db:	BID	id:	74921
db:	JVNDB	id:	JVNDB-2015-002883
db:	CNNVD	id:	CNNVD-201505-604
db:	NVD	id:	CVE-2015-2853

LAST UPDATE DATE

2025-04-13T23:23:45.139000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#498348	date:	2015-06-02T00:00:00
db:	CNVD	id:	CNVD-2015-03624	date:	2015-06-09T00:00:00
db:	VULHUB	id:	VHN-80814	date:	2016-12-03T00:00:00
db:	BID	id:	74921	date:	2015-06-01T00:00:00
db:	JVNDB	id:	JVNDB-2015-002883	date:	2015-06-03T00:00:00
db:	CNNVD	id:	CNNVD-201505-604	date:	2015-06-03T00:00:00
db:	NVD	id:	CVE-2015-2853	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#498348	date:	2015-05-29T00:00:00
db:	CNVD	id:	CNVD-2015-03624	date:	2015-06-08T00:00:00
db:	VULHUB	id:	VHN-80814	date:	2015-05-30T00:00:00
db:	BID	id:	74921	date:	2015-06-01T00:00:00
db:	JVNDB	id:	JVNDB-2015-002883	date:	2015-06-03T00:00:00
db:	CNNVD	id:	CNNVD-201505-604	date:	2015-05-30T00:00:00
db:	NVD	id:	CVE-2015-2853	date:	2015-05-30T19:59:06.083