Skip to main content
Support

KB Article #179727

Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2015

List of possible security vulnerabilities reported against SecureTransport and corresponding analysis based on Axway's research.


NOTE: This KB lists only the vulnerabilities, tagged with the year 2015. For CVEs from other years, refer to the following articles:
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2018
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2017
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2016
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2014
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2013
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2012
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2011
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2010
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2009 and earlier


Additional lists of security vulnerabilities reported against SecureTransport application without formal CVE/CWE identifiers or against ST appliance platforms can be found at :



CVE Reference CVSS v2 Base Score Attack Vector Version Reported Version Fixed KB Article
CVE-2015-5517 N/A N/A 5.3.1 N/A -
Added: N/A Last modified: N/A

ST is not vulnerable.


Upon further review, this is a definite edge case and impacts network element vendors that build and implement the TLS protocol. Examples include Cisco ASA (CVE-2015-4558), F5 Big-IP (CVE-2015-5517), Juniper (CVE-2015-5309) and Fortinet and Citrix. Axway does not build and implement the protocol. We are users of a standard protocol supplied by the OpenSSL community.


The "POODLE's Friend" vulnerability is not a cipher specification issue, rather an implementation of the TLS protocol issue (parsing MAC and FINISHED messages within TLS key exchange). The author suggest it is 0.076% chance this could occur (0.00076). The author even suggested that this may not be attackable because -- in the wild, it would be nearly impossible to predict the MAC, which his tool calculated for testing purposes.

CVE-2015-7547 6.1 Network N/A N/A KB177741
Added: N/A Last modified: N/A

The Secure Transport (ST) product does not include the glibc library in the product distribution and therefore ST has no remediation required.


Axway released an update for Axway Appliance OS that upgrades the glibc packages to a non-vulnerable version.

CVE-2015-5345 5.3 Network 5.0
5.3.1.x
5.0 Patch 95
5.3.1 Patch 2
and above
-
Added: N/A Last modified: N/A

The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character

CVE-2015-8215 5.0 Network AP 6.7.1 - -
Added: N/A Last modified: N/A

Novell kernel in SLES11-SP3 with version 3.0.101-0.47.71.1 has the patch for the CVE 2015-8215. Updated kernel versions are available at Axway repository.

CVE-2015-5174 4.3 Network 5.0
5.3.1.x
5.0.0 Patch 95
5.3.1 Patch 2
and above
-
Added: N/A Last modified: N/A

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

CVE-2015-7547 6.1 Network 5.0 - 5.3.0 N/A KB177741
Added: N/A Last modified: N/A

None of currently supported branches of ST is affected.


Axway released a patch for Axway appliance OS as current Appliance Platform versions (as of 02/22/2016) require it.

CVE-2015-1793 6.4 Network 5.0 - 5.3.0 N/A KB177255
Added: N/A Last modified: N/A

None of currently supported branches of ST is affected.

CVE-2015-1789 4.3 Network 5.1 - 5.3.0 N/A -
Added: N/A Last modified: N/A

ST 5.2.x and later versions are not affected.


ST 5.1.x doesn't use a custom verification callback, hence it is not affected.

CVE-2015-1788 4.3 Network 5.1 - 5.3.x N/A -
Added: N/A Last modified: N/A

ST 5.2.x and later versions are not vulnerable.


ST 5.1.x may be vulnerable only if it uses ECC keys. Given the fact that ECC keys can't be imported into ST, although the vulnerability exists, there is no exploit vector.

CVE-2015-4000 4.3 Network 5.1.x - 5.3.x ST 5.1 SP3 Patch 30
ST 5.2.1 SP6
ST 5.3.1
-
Added: N/A Last modified: N/A

Also known as "Logjam".


Addressed in:


  • ST 5.1 SP3 Patch 30
  • ST 5.2.1 SP6 (for the ST 5.2.1 branch)
  • ST 5.3.1 (for the ST 5.3.x branch)


Versions equal to or above the listed ones are no longer found vulnerable.

CVE-2015-0235 10.0 Network 4.9.2 SP2 - 5.2.1.x N/A KB176788
Added: N/A Last modified: N/A

Critical vulnerability in the glibc library aka "GHOST".


SecureTransport itself is not vulnerable as it does not statically link to any of the glibc libraries on any platform.


However, the Axway Appliance Platform, which comes with SecureTransport virtual appliance and SecureTransport hardware appliance, is vulnerable and updated glibc libraries are available at the referenced KB article.