Details of VAR-201505-0268

ID

VAR-201505-0268

CVE

CVE-2015-4138

TITLE

Blue Coat SSL Visibility Appliance contains multiple vulnerabilities

Trust: 0.8

sources: CERT/CC: VU#498348

DESCRIPTION

The WebUI component in Blue Coat SSL Visibility Appliance SV800, SV1800, SV2800, and SV3800 3.6.x through 3.8.x before 3.8.4 does not include the HTTPOnly flag in a Set-Cookie header for the administrator's cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie, a different vulnerability than CVE-2015-2855. It is the core of encrypted traffic management, providing visibility into SSL traffic and supporting the addition of SSL checking to advanced threat protection solutions. The solution and the existing network security architecture. The HTTPOnly flag could not be set in the Set-Cookie header of the administrator cookie

Trust: 2.97

sources: NVD: CVE-2015-4138 // CERT/CC: VU#498348 // JVNDB: JVNDB-2015-002881 // CNVD: CNVD-2015-03623 // VULHUB: VHN-82099

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2015-03623

AFFECTED PRODUCTS

vendor:	blue coat	model:	ssl visibility appliance sv3800	scope:	lte	version:	3.8.3	Trust: 1.0
vendor:	blue coat	model:	ssl visibility appliance sv800	scope:	lte	version:	3.8.3	Trust: 1.0
vendor:	blue coat	model:	ssl visibility appliance sv1800	scope:	lte	version:	3.8.3	Trust: 1.0
vendor:	blue coat	model:	ssl visibility appliance sv2800	scope:	lte	version:	3.8.3	Trust: 1.0
vendor:	blue coat	model:	-	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv1800	scope:	eq	version:	3.6.x from 3.8.4	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv800	scope:	lt	version:	3.8.x	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv1800	scope:	lt	version:	3.8.x	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv2800	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv3800	scope:	eq	version:	3.6.x from 3.8.4	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv800	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv3800	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv2800	scope:	eq	version:	3.6.x from 3.8.4	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv3800	scope:	lt	version:	3.8.x	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv800	scope:	eq	version:	3.6.x from 3.8.4	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv1800	scope:	-	version:	-	Trust: 0.8
vendor:	blue coat	model:	ssl visibility appliance sv2800	scope:	lt	version:	3.8.x	Trust: 0.8
vendor:	blue	model:	coat ssl visibility appliance sv800	scope:	-	version:	-	Trust: 0.6
vendor:	blue	model:	coat ssl visibility appliance sv3800	scope:	eq	version:	(3.6.x-3.8.x)<3.8.4	Trust: 0.6
vendor:	blue	model:	coat ssl visibility appliance sv2800	scope:	-	version:	-	Trust: 0.6
vendor:	blue	model:	coat ssl visibility appliance sv1800	scope:	-	version:	-	Trust: 0.6
vendor:	blue coat	model:	ssl visibility appliance sv800	scope:	eq	version:	3.8.3	Trust: 0.6
vendor:	blue coat	model:	ssl visibility appliance sv1800	scope:	eq	version:	3.8.3	Trust: 0.6
vendor:	blue coat	model:	ssl visibility appliance sv3800	scope:	eq	version:	3.8.3	Trust: 0.6
vendor:	blue coat	model:	ssl visibility appliance sv2800	scope:	eq	version:	3.8.3	Trust: 0.6

sources: CERT/CC: VU#498348 // CNVD: CNVD-2015-03623 // JVNDB: JVNDB-2015-002881 // CNNVD: CNNVD-201505-607 // NVD: CVE-2015-4138

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2015-4138
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2015-4138
value:	MEDIUM
Trust: 0.8
CNVD:	CNVD-2015-03623
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201505-607
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-82099
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2015-4138
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2015-03623
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-82099
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2015-03623 // VULHUB: VHN-82099 // JVNDB: JVNDB-2015-002881 // CNNVD: CNNVD-201505-607 // NVD: CVE-2015-4138

PROBLEMTYPE DATA

problemtype:

CWE-200

Trust: 1.9

sources: VULHUB: VHN-82099 // JVNDB: JVNDB-2015-002881 // NVD: CVE-2015-4138

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201505-607

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201505-607

CONFIGURATIONS

sources: JVNDB: JVNDB-2015-002881

PATCH

title:	SA96	url:	https://bto.bluecoat.com/security-advisory/sa96	Trust: 0.8
title:	Patches for sensitive information vulnerabilities in various Blue Coat Systems SSL Visibility Appliance products	url:	https://www.cnvd.org.cn/patchInfo/show/59403	Trust: 0.6

sources: CNVD: CNVD-2015-03623 // JVNDB: JVNDB-2015-002881

EXTERNAL IDS

db:	CERT/CC	id:	VU#498348	Trust: 3.3
db:	NVD	id:	CVE-2015-4138	Trust: 3.1
db:	JVN	id:	JVNVU97084421	Trust: 0.8
db:	JVNDB	id:	JVNDB-2015-002881	Trust: 0.8
db:	CNNVD	id:	CNNVD-201505-607	Trust: 0.7
db:	CNVD	id:	CNVD-2015-03623	Trust: 0.6
db:	VULHUB	id:	VHN-82099	Trust: 0.1

sources: CERT/CC: VU#498348 // CNVD: CNVD-2015-03623 // VULHUB: VHN-82099 // JVNDB: JVNDB-2015-002881 // CNNVD: CNNVD-201505-607 // NVD: CVE-2015-4138

REFERENCES

url:	https://bto.bluecoat.com/security-advisory/sa96	Trust: 2.5
url:	http://www.kb.cert.org/vuls/id/498348	Trust: 2.5
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-4138	Trust: 1.4
url:	https://bto.bluecoat.com/news/ssl-visibility-v3.8.4-released	Trust: 0.8
url:	https://fishnetsecurity.com/6labs/blog/vulnerabilities-bluecoat-ssl-visibility-appliances	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/352.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/384.html	Trust: 0.8
url:	http://cwe.mitre.org/data/definitions/20.html	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/200.html	Trust: 0.8
url:	https://cwe.mitre.org/data/definitions/79.html	Trust: 0.8
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-4138	Trust: 0.8
url:	http://jvn.jp/vu/jvnvu97084421/index.html	Trust: 0.8

sources: CERT/CC: VU#498348 // CNVD: CNVD-2015-03623 // VULHUB: VHN-82099 // JVNDB: JVNDB-2015-002881 // CNNVD: CNNVD-201505-607 // NVD: CVE-2015-4138

SOURCES

db:	CERT/CC	id:	VU#498348
db:	CNVD	id:	CNVD-2015-03623
db:	VULHUB	id:	VHN-82099
db:	JVNDB	id:	JVNDB-2015-002881
db:	CNNVD	id:	CNNVD-201505-607
db:	NVD	id:	CVE-2015-4138

LAST UPDATE DATE

2025-04-13T23:23:45.215000+00:00

SOURCES UPDATE DATE

db:	CERT/CC	id:	VU#498348	date:	2015-06-02T00:00:00
db:	CNVD	id:	CNVD-2015-03623	date:	2015-06-09T00:00:00
db:	VULHUB	id:	VHN-82099	date:	2015-06-02T00:00:00
db:	JVNDB	id:	JVNDB-2015-002881	date:	2015-06-03T00:00:00
db:	CNNVD	id:	CNNVD-201505-607	date:	2015-06-05T00:00:00
db:	NVD	id:	CVE-2015-4138	date:	2025-04-12T10:46:40.837

SOURCES RELEASE DATE

db:	CERT/CC	id:	VU#498348	date:	2015-05-29T00:00:00
db:	CNVD	id:	CNVD-2015-03623	date:	2015-06-08T00:00:00
db:	VULHUB	id:	VHN-82099	date:	2015-05-30T00:00:00
db:	JVNDB	id:	JVNDB-2015-002881	date:	2015-06-03T00:00:00
db:	CNNVD	id:	CNNVD-201505-607	date:	2015-05-30T00:00:00
db:	NVD	id:	CVE-2015-4138	date:	2015-05-30T19:59:09.097