ST is not vulnerable.

Upon further review, this is a definite edge case and impacts network element vendors that build and implement the TLS protocol. Examples include Cisco ASA (CVE-2015-4558), F5 Big-IP (CVE-2015-5517), Juniper (CVE-2015-5309) and Fortinet and Citrix. Axway does not build and implement the protocol. We are users of a standard protocol supplied by the OpenSSL community.

The "POODLE's Friend" vulnerability is not a cipher specification issue, rather an implementation of the TLS protocol issue (parsing MAC and FINISHED messages within TLS key exchange). The author suggest it is 0.076% chance this could occur (0.00076). The author even suggested that this may not be attackable because -- in the wild, it would be nearly impossible to predict the MAC, which his tool calculated for testing purposes.

The Secure Transport (ST) product does not include the glibc library in the product distribution and therefore ST has no remediation required.

Axway released an update for Axway Appliance OS that upgrades the glibc packages to a non-vulnerable version.

The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character

Novell kernel in SLES11-SP3 with version 3.0.101-0.47.71.1 has the patch for the CVE 2015-8215. Updated kernel versions are available at Axway repository.

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

None of currently supported branches of ST is affected.

Axway released a patch for Axway appliance OS as current Appliance Platform versions (as of 02/22/2016) require it.

None of currently supported branches of ST is affected.

ST 5.2.x and later versions are not affected.

ST 5.1.x doesn't use a custom verification callback, hence it is not affected.

ST 5.2.x and later versions are not vulnerable.

ST 5.1.x may be vulnerable only if it uses ECC keys. Given the fact that ECC keys can't be imported into ST, although the vulnerability exists, there is no exploit vector.

Also known as "Logjam".

Addressed in:

• ST 5.1 SP3 Patch 30
• ST 5.2.1 SP6 (for the ST 5.2.1 branch)
• ST 5.3.1 (for the ST 5.3.x branch)

Versions equal to or above the listed ones are no longer found vulnerable.

Critical vulnerability in the glibc library aka "GHOST".

SecureTransport itself is not vulnerable as it does not statically link to any of the glibc libraries on any platform.

However, the Axway Appliance Platform, which comes with SecureTransport virtual appliance and SecureTransport hardware appliance, is vulnerable and updated glibc libraries are available at the referenced KB article.