Details of VAR-201505-0110

ID

VAR-201505-0110

CVE

CVE-2015-2854

TITLE

Blue Coat SSL Visibility Appliance contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#498348

DESCRIPTION

The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not send a restrictive X-Frame-Options HTTP header, which allows remote attackers to conduct clickjacking attacks via vectors involving an IFRAME element. Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800, versions 3.6.x to 3.8.3, contain multiple vulnerabilities. The appliance provides features such as a dedicated encrypted traffic management platform, easy-to-use policy enforcement points, and an adaptive security solution. The program failed to execute the same-origin policy in the X-Frame-Options HTTP header. Successfully exploiting these vulnerabilities will allow attackers to perform certain unauthorized actions, hijack an arbitrary session, gain access to the sensitive information or compromise the affected application. Other attacks are also possible

Trust: 3.24

sources: NVD: CVE-2015-2854 // CERT/CC: VU#498348 // JVNDB: JVNDB-2015-002882 // CNVD: CNVD-2015-03625 // BID: 74921 // VULHUB: VHN-80815

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-03625

AFFECTED PRODUCTS

vendor:	blue coat	model:	ssl visibility appliance sv3800	scope:	lte	version:	3.8.3	Trust: 1.0
vendor:	blue coat	model:	ssl visibility appliance sv800	scope:	lte	version:	3.8.3	Trust: 1.0
vendor:	blue coat	model:	ssl visibility appliance sv1800	scope:	lte	version:	3.8.3	Trust: 1.0
vendor:	blue coat	model:	ssl visibility appliance sv2800	scope:	lte	version:	3.8.3	Trust: 1.0
vendor:	blue coat	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv1800	scope:	eq	version:	3.6.x from 3.8.4	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv800	scope:	lt	version:	3.8.x	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv1800	scope:	lt	version:	3.8.x	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv2800	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv3800	scope:	eq	version:	3.6.x from 3.8.4	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv800	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv3800	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv2800	scope:	eq	version:	3.6.x from 3.8.4	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv3800	scope:	lt	version:	3.8.x	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv800	scope:	eq	version:	3.6.x from 3.8.4	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv1800	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv2800	scope:	lt	version:	3.8.x	Trust: 0.8
vendor:	blue	model:	coat ssl visibility appliance sv800	scope:	-	version:	-	Trust: 0.6
vendor:	blue	model:	coat ssl visibility appliance sv3800	scope:	eq	version:	(3.6.x-3.8.x)<3.8.4	Trust: 0.6
vendor:	blue	model:	coat ssl visibility appliance sv2800	scope:	-	version:	-	Trust: 0.6
vendor:	blue	model:	coat ssl visibility appliance sv1800	scope:	-	version:	-	Trust: 0.6
vendor:	blue coat	model:	ssl visibility appliance sv800	scope:	eq	version:	3.8.3	Trust: 0.6
vendor:	blue coat	model:	ssl visibility appliance sv2800	scope:	eq	version:	3.8.3	Trust: 0.6
vendor:	blue coat	model:	ssl visibility appliance sv1800	scope:	eq	version:	3.8.3	Trust: 0.6
vendor:	blue coat	model:	ssl visibility appliance sv3800	scope:	eq	version:	3.8.3	Trust: 0.6
vendor:	bluecoat	model:	sv800	scope:	eq	version:	3.8.3	Trust: 0.3
vendor:	bluecoat	model:	sv800	scope:	eq	version:	3.6	Trust: 0.3
vendor:	bluecoat	model:	sv3800	scope:	eq	version:	3.8.3	Trust: 0.3
vendor:	bluecoat	model:	sv3800	scope:	eq	version:	3.6	Trust: 0.3
vendor:	bluecoat	model:	sv2800	scope:	eq	version:	3.8.3	Trust: 0.3
vendor:	bluecoat	model:	sv2800	scope:	eq	version:	3.6	Trust: 0.3
vendor:	bluecoat	model:	sv1800	scope:	eq	version:	3.8.3	Trust: 0.3
vendor:	bluecoat	model:	sv1800	scope:	eq	version:	3.6	Trust: 0.3
vendor:	bluecoat	model:	sv800	scope:	ne	version:	3.8.4	Trust: 0.3
vendor:	bluecoat	model:	sv3800	scope:	ne	version:	3.8.4	Trust: 0.3
vendor:	bluecoat	model:	sv2800	scope:	ne	version:	3.8.4	Trust: 0.3
vendor:	bluecoat	model:	sv1800	scope:	ne	version:	3.8.4	Trust: 0.3

sources: CERT/CC: VU#498348 // CNVD: CNVD-2015-03625 // BID: 74921 // JVNDB: JVNDB-2015-002882 // CNNVD: CNNVD-201505-605 // NVD: CVE-2015-2854

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-2854
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-2854
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-03625
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201505-605
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-80815
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-2854
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-03625
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-80815
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2015-03625 // VULHUB: VHN-80815 // JVNDB: JVNDB-2015-002882 // CNNVD: CNNVD-201505-605 // NVD: CVE-2015-2854

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.9

sources: VULHUB: VHN-80815 // JVNDB: JVNDB-2015-002882 // NVD: CVE-2015-2854

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201505-605

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201505-605

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-002882

PATCH

title:	SA96	url:	https://bto.bluecoat.com/security-advisory/sa96	Trust: 0.8
title:	Multiple Blue Coat Systems SSL Visibility Appliance products incorrectly enter patches for verification vulnerabilities	url:	https://www.cnvd.org.cn/patchInfo/show/59398	Trust: 0.6

sources: CNVD: CNVD-2015-03625 // JVNDB: JVNDB-2015-002882

EXTERNAL IDS

db:	CERT/CC	id:	VU#498348	Trust: 4.2
db:	NVD	id:	CVE-2015-2854	Trust: 3.4
db:	BID	id:	74921	Trust: 2.0
db:	JVN	id:	JVNVU97084421	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-002882	Trust: 0.8
db:	CNNVD	id:	CNNVD-201505-605	Trust: 0.7
db:	CNVD	id:	CNVD-2015-03625	Trust: 0.6
db:	VULHUB	id:	VHN-80815	Trust: 0.1

sources: CERT/CC: VU#498348 // CNVD: CNVD-2015-03625 // VULHUB: VHN-80815 // BID: 74921 // JVNDB: JVNDB-2015-002882 // CNNVD: CNNVD-201505-605 // NVD: CVE-2015-2854

REFERENCES

url:	http://www.kb.cert.org/vuls/id/498348	Trust: 3.4
url:	https://bto.bluecoat.com/security-advisory/sa96	Trust: 2.5
url:	http://www.securityfocus.com/bid/74921	Trust: 1.7
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-2854	Trust: 1.4
url:	https://bto.bluecoat.com/news/ssl-visibility-v3.8.4-released	Trust: 0.8
url:	https://fishnetsecurity.com/6labs/blog/vulnerabilities-bluecoat-ssl-visibility-appliances	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/352.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/384.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/20.html	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-2854	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu97084421/index.html	Trust: 0.8
url:	https://www.bluecoat.com/products/ssl-visibility-appliance	Trust: 0.3

sources: CERT/CC: VU#498348 // CNVD: CNVD-2015-03625 // VULHUB: VHN-80815 // BID: 74921 // JVNDB: JVNDB-2015-002882 // CNNVD: CNNVD-201505-605 // NVD: CVE-2015-2854

CREDITS

Tim MalcomVetter of FishNet Security

Trust: 0.3

sources: BID: 74921

SOURCES

db:	CERT/CC	id:	VU#498348
db:	CNVD	id:	CNVD-2015-03625
db:	VULHUB	id:	VHN-80815
db:	BID	id:	74921
db:	JVNDB	id:	JVNDB-2015-002882
db:	CNNVD	id:	CNNVD-201505-605
db:	NVD	id:	CVE-2015-2854

LAST UPDATE DATE

2025-04-13T23:23:45.100000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#498348	date:	2015-06-02T00:00:00
db:	CNVD	id:	CNVD-2015-03625	date:	2015-06-09T00:00:00
db:	VULHUB	id:	VHN-80815	date:	2016-12-03T00:00:00
db:	BID	id:	74921	date:	2015-06-01T00:00:00
db:	JVNDB	id:	JVNDB-2015-002882	date:	2015-06-03T00:00:00
db:	CNNVD	id:	CNNVD-201505-605	date:	2015-06-05T00:00:00
db:	NVD	id:	CVE-2015-2854	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#498348	date:	2015-05-29T00:00:00
db:	CNVD	id:	CNVD-2015-03625	date:	2015-06-08T00:00:00
db:	VULHUB	id:	VHN-80815	date:	2015-05-30T00:00:00
db:	BID	id:	74921	date:	2015-06-01T00:00:00
db:	JVNDB	id:	JVNDB-2015-002882	date:	2015-06-03T00:00:00
db:	CNNVD	id:	CNNVD-201505-605	date:	2015-05-30T00:00:00
db:	NVD	id:	CVE-2015-2854	date:	2015-05-30T19:59:07.083