KB Article #179729
Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2014
List of possible security vulnerabilities reported against SecureTransport and corresponding analysis based on Axway's research.
NOTE: This KB lists only the vulnerabilities, tagged with the year 2014. For CVEs from other years, refer to the following articles:
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2018
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2017
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2016
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2015
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2013
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2012
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2011
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2010
⇒ Security Vulnerabilities (CVE) reported against SecureTransport tagged with the year 2009 and earlier
Additional lists of security vulnerabilities reported against SecureTransport application without formal CVE/CWE identifiers or against ST appliance platforms can be found at :
- Security vulnerabilities reported against SecureTransport, without formal CVE or CWE identifier
- Security vulnerabilities reported against ST appliances
| CVE Reference | CVSS v2 Base Score | Attack Vector | Version Reported | Version Fixed | KB Article |
| CVE-2014-3566 | 4.3 | Network | 4.9.2 SP2 - 5.2.1.x | 5.2.1 SP6 5.3.1 5.3.3 |
- |
| Added: N/A | Last modified: N/A | ||||
|
A protocol design flaw, also known as "POODLE".
As a protocol design flaw, all SecureTransport Server and Edge versions, regardless of the cryptographic provider, are vulnerable provided that |
|||||
| CVE-2014-0160 | 5.0 | Network | N/A | N/A |
KB175930
Announcement |
| Added: N/A | Last modified: N/A | ||||
|
ST versions up to and including ST 5.1.x use
ST 5.2.x and above don't use OpenSSL. |
|||||
| CVE-2014-7187 | 10.0 | Network | Windows: 4.9.2 - 5.2.1 SP4 Unix/Linux: 4.9.2 - 5.1.x |
N/A | KB176462 |
| Added: N/A | Last modified: N/A | ||||
|
Also known as "Shellshock".
Bash specially-crafted environment variables code injection attack (aka Shellshock) fix has been provided for ST running on Axway appliances (SLES) and MS Windows.
As the ST product itself is not vulnerable, for the other supported OS-es, OS Bash patches should be obtained from the respective OS vendors. Full details on the provided fix are available at:
|
|||||
| CVE-2014-7186 | 10.0 | Network | Windows: 4.9.2 - 5.2.1 SP4 Unix/Linux: 4.9.2 - 5.1.x |
N/A | KB176462 |
| Added: N/A | Last modified: N/A | ||||
|
Also known as "Shellshock".
Bash specially-crafted environment variables code injection attack (aka Shellshock) fix has been provided for ST running on Axway appliances (SLES) and MS Windows.
As the ST product itself is not vulnerable, for the other supported OS-es, OS Bash patches should be obtained from the respective OS vendors. Full details on the provided fix are available at:
|
|||||
| CVE-2014-7169 | 10.0 | Network | Windows: 4.9.2 - 5.2.1 SP4 Unix/Linux: 4.9.2 - 5.1.x |
N/A | KB176462 |
| Added: N/A | Last modified: N/A | ||||
|
Also known as "Shellshock".
Bash specially-crafted environment variables code injection attack (aka Shellshock) fix has been provided for ST running on Axway appliances (SLES) and MS Windows.
As the ST product itself is not vulnerable, for the other supported OS-es, OS Bash patches should be obtained from the respective OS vendors. Full details on the provided fix are available at:
|
|||||
| CVE-2014-6277 | 10.0 | Network | Windows: 4.9.2 - 5.2.1 SP4 Unix/Linux: 4.9.2 - 5.1.x |
N/A | KB176462 |
| Added: N/A | Last modified: N/A | ||||
|
Also known as "Shellshock".
Bash specially-crafted environment variables code injection attack (aka Shellshock) fix has been provided for ST running on Axway appliances (SLES) and MS Windows.
As the ST product itself is not vulnerable, for the other supported OS-es, OS Bash patches should be obtained from the respective OS vendors. Full details on the provided fix are available at:
|
|||||
| CVE-2014-6271 | 10.0 | Network | Windows: 4.9.2 - 5.2.1 SP4 Unix/Linux: 4.9.2 - 5.1.x |
N/A | KB176462 |
| Added: N/A | Last modified: N/A | ||||
|
Also known as "Shellshock".
Bash specially-crafted environment variables code injection attack (aka Shellshock) fix has been provided for ST running on Axway appliances (SLES) and MS Windows.
As the ST product itself is not vulnerable, for the other supported OS-es, OS Bash patches should be obtained from the respective OS vendors. Full details on the provided fix are available at:
|
|||||
| CVE-2014-0050 | 5.0 | Network | 5.2.1 SP4 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Fixed with update of a third party Tomcat module to version 7.0.57 in ST 5.2.1 SP5 |
|||||
| CVE-2014-0075 | 5.0 | Network | 5.2.1 SP4 | 5.2.1 SP5 | - |
| Added: N/A | Last modified: N/A | ||||
|
Fixed with update of third party Tomcat module to version 7.0.57 in ST 5.2.1 SP5 |
|||||
| CVE-2014-0114 | 7.5 | Network | 5.1 5.2.1 |
5.1.0 SP3 P22 5.2.1 SP3 P11 |
KBN/A |
| Added: 20 May 2019 | Last modified: 20 May 2019 | ||||
|
SecureTransport was vulnerable. The issue can be resolved by installing the respective patch with the fix. |
|||||
| CVE-2014-0119 | 4.3 | Network | 5.2.1 SP4 | 5.2.1 SP5 | - |
| Added: N/A | Last modified: N/A | ||||
|
Fixed with update of third party Tomcat module to version 7.0.57 in ST 5.2.1 SP5 |
|||||
| CVE-2014-0099 | 4.3 | Network | 5.2.1 SP4 | 5.2.1 SP5 | - |
| Added: N/A | Last modified: N/A | ||||
|
Fixed with update of third party Tomcat module to version 7.0.57 in ST 5.2.1 SP5. |
|||||
| CVE-2014-0096 | 4.3 | Network | 5.2.1 SP4 | 5.2.1 SP5 | - |
| Added: N/A | Last modified: N/A | ||||
|
Fixed with update of third party Tomcat module to version 7.0.57 in ST 5.2.1 SP5. |
|||||
| CVE-2014-0076 | 4.3 | Network | 5.1.x | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
ST may support ECC, provided that the cipher string allows it and the server key is ECC or hybrid. Such server key has to be a key, generated by a third party solution (xca, OpenSSL etc), as ST only generates RSA/DSA keys.
Fix is to be provided in a future service pack of ST 5.1.x branch. |
|||||
| CVE-2014-3466 | 6.8 | Network | 4.6 | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
ST 4.6 doesn't use GnuTLS so this is not applicable. |
|||||
| CVE-2014-5139 | 4.3 | Network | 5.2.x 5.1.x |
N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Not vulnerable. ST doesn't use SRP. OpenSSL Certicom SBOSAPI builds atop do not implement SRP as well. |
|||||
| CVE-2014-3513 | 7.1 | Network | 5.2.x 5.1.x |
N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Not vulnerable, ST doesn't use DLTS. |
|||||
| CVE-2014-3512 | 7.5 | Network | 5.2.x 5.1.x |
N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Not vulnerable. ST doesn't use SRP. OpenSSL Certicom SBOSAPI builds atop do not implement SRP as well. |
|||||
| CVE-2014-3511 | 4.3 | Network | 5.2.x 5.1.x |
N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
ST 5.2.x versions are not vulnerable.
ST 5.1.x versions are affected. Fix for 5.1.x to be provided as part of a Service Pack. |
|||||
| CVE-2014-3510 | 4.3 | Network | 5.2.x 5.1.x |
N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Not Vulnerable if anon ECDH ciphers are disabled.
To disable the above ciphers (ST 5.1.x ) add
ST 5.2.x and above branches are not affected. |
|||||
| CVE-2014-3509 | 6.8 | Network | 5.2.x 5.1.x |
N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
ST versions earlier than 5.2.x might be vulnerable provided an ECC or hybrid key is used and the server advertises an ECC cipher.
Should be addressed in future SP for the ST 5.1.x branch. |
|||||
| CVE-2014-3508 | 4.3 | Network | 5.2.x 5.1.x |
N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
ST is not vulnerable. |
|||||
| CVE-2014-3507 | 5.0 | Network | 5.2.x 5.1.x |
N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Not vulnerable. ST doesn't use DTLS. |
|||||
| CVE-2014-3506 | 5.0 | Network | 5.2.x 5.1.x |
N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Not vulnerable. ST doesn't use DTLS. |
|||||
| CVE-2014-3505 | 5.0 | Network | 5.2.x 5.1.x |
N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Not vulnerable. ST doesn't use DTLS. |
|||||
| CVE-2014-3470 | 4.3 | Network | 5.1.x | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Not Vulnerable if anon ECDH ciphers are disabled.
To disable the above ciphers in ST 5.1.x add
ST 5.2.x and above branches are not affected. |
|||||
| CVE-2014-0224 | 6.8 | Network | 5.1.x | 5.1 SP3 P30 | - |
| Added: N/A | Last modified: N/A | ||||
|
ST 5.1.x branch fixed in Patch 30 for ST 5.1 SP3.
ST 5.2.x and above branches are not affected. |
|||||
| CVE-2014-0221 | 4.3 | Network | 5.1.x | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Not Vulnerable - ST doesn't use OpenSSL as a DTLS client/server. |
|||||
| CVE-2014-0198 | 4.3 | Network | 5.1.x | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Not Vulnerable |
|||||
| CVE-2014-0195 | 6.8 | Network | 5.1.x | N/A | - |
| Added: N/A | Last modified: N/A | ||||
|
Not Vulnerable - ST doesn't use OpenSSL as a DTLS client/server. |
|||||