Loading...

Knowledge Center


Consolidated list of vulnerabilities that do not pose a risk to the Web Gateway appliance
Technical Articles ID:   KB88086
Last Modified:  9/30/2019
Rated:


Environment

McAfee Web Gateway (MWG)

Summary

The following table lists the vulnerabilities (CVEs) that Technical Support has investigated and concluded represent no risk to the MWG appliance when installed in a supported configuration.

IMPORTANT: New CVEs will be added to this list after they have been investigated and determined to pose no risk to the appliance. This article also consolidates vulnerabilities from existing articles that have been previously investigated.

To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.

 
CVE and Reference Description Comment
CVE-2014-0094
CVE-2016-3087
CVE-2017-5638
CVE-2017-9805
CVE-2014-0094 was reported against Apache Struts:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0094
The ParametersInterceptor in Apache Struts before 2.3.16.1 allows remote attackers to manipulate the ClassLoader via the class parameter, which is passed to the getClass method.

CVE-2016-3087 was reported against Apache Struts:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3087
Apache Struts 2.3.20.x before 2.3.20.3, 2.3.24.x before 2.3.24.3, and 2.3.28.x before 2.3.28.1, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via vectors related to an exclamation point (!) operator to the REST Plugin.

CVE-2017-5638 was reported against Apache Struts:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 mishandles file upload. This mishandling allows remote attackers to execute arbitrary commands via a #cmd= string in a crafted Content-Type HTTP header, as exploited in the wild in March 2017.

CVE-2017-9805 was reported against Apache Struts:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9805
The REST Plugin in Apache Struts 2.1.2 through 2.3.x before 2.3.34 and 2.5.x before 2.5.13 uses an XStreamHandler with an instance of XStream for deserialization without any type filtering. This use can lead to Remote Code Execution when deserializing XML payloads.
McAfee Email Gateway 7.x (MEG) uses the Apache 2 HTTP server, but the appliance does not use Apache Struts. So, MEG 7.x is not vulnerable to these vulnerabilities.
CVE-2016-5018
CVE-2016-6794
CVE-2016-6796
CVE-2016-6797
CVE-2016-0762

1165759
CVE-2016-5018:
A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.
For more information, see:
http://www.openwall.com/lists/oss-security/2016/10/27/9

CVE-2016-6794:
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

CVE-2016-6796:
A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.

CVE-2016-6797:
The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. So, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. 

CVE-2016-0762
The Realm implementations did not process the supplied password if the supplied user name did not exist. As a result, it made a timing attack possible to determine valid user names. The default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

For more information about these vulnerabilities, see:
https://tomcat.apache.org/security-7.html
CVE-2016-6797:
MWG does not allow or support deployment of third-party Web Applications,
Also, the MWG manager does not use JNDI resources (global or explicit linked).

CVE-2016-5018, CVE-2016-6794 or CVE-2016-6796:
MWG does not allow or support deployment of third-party Web Applications, so malicious Web Applications cannot exploit these vulnerabilities.

CVE-2016-0762:
The MWG manager does use Apache Tomcat's Realm implementation.
CVE-2014-1568

1013040

CVE-2014-1568:
Vulnerability in the Mozilla Network Security Services (NSS) crypto library vulnerability.
Mozilla Network Security Services (NSS) before 3.16.2.1, 3.16.x before 3.16.5, and 3.17.x before 3.17.1, as used in Mozilla Firefox before 32.0.3, Mozilla Firefox ESR 24.x before 24.8.1 and 31.x before 31.1.1, Mozilla Thunderbird before 24.8.1 and 31.x before 31.1.2, Mozilla SeaMonkey before 2.29.1, Google Chrome before 37.0.2062.124 on Windows and OS X, and Google Chrome OS before 37.0.2062.120. These versions do not properly parse ASN.1 values in X.509 certificates. The result is that it is easier for remote attackers to spoof RSA signatures via a crafted certificate, aka a "signature malleability" issue.
 
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1568
 
  • Most supported versions of Web Gateway do not use NSS; so, they are not affected by this vulnerability while handling web traffic.
     
  • Web Gateway 7.4.2.3 and later use NSS; but, these NSS versions are not affected by this vulnerability.
     
  • Some of the system links are pointing to NSS; but, they are not using RSA signature processing. 
NOTE: This information was formerly hosted in article KB83091. 
CVE-2015-5477

1083675

CVE-2015-5477:
This issue is a BIND vulnerability caused by an error in handling TKEY queries that can cause named to exit with a REQUIRE assertion failure.

For more information, see:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5477  
 

MWG uses a BIND version affected by this issue. But, in the MWG implementation, there is no way to exploit the issue because named is running on the loopback interface only. The only clients pointing to named are the local glibc stub resolver and MWG uDNS. There is no way to create a TKEY query using the glibc stub resolver or MWG uDNS by foreign attackers.

MWG will likely import a fixed BIND package in a future version, but there is no urgency because MWG is not vulnerable.

NOTE:  This information was formerly hosted in article KB85342.

CVE-2015-1635
CVE-2015-1635:
A Microsoft vulnerability with the Http.sys kernel driver used in many of its operating systems. Affected operating systems include Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2. Http.sys is the kernel mode driver that handles HTTP requests. The vulnerability could allow remote code execution if an attacker sends a specially crafted HTTP request to an affected Windows system. The vulnerability exists when the Http.sys component improperly parses specially crafted HTTP requests that include an HTTP "Range" Header with a very large value. Microsoft IIS web servers are one commonly used server software that is known to be vulnerable. But, any software that uses the Http.sys kernel driver could be vulnerable.

For more information, see:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1635.
MWG protects your environment out of the box when you implement MWG's default policy.

MWG's Gateway Antimalware rule set includes a rule named Remove Partial Content for HTTP(s) Requests, which removes the Range Header to prevent Partial Downloads.

In addition to protecting end-users from this vulnerability, removing the Range Header also allows MWG to scan the complete HTTP or HTTPS file. In this way, malicious content distributed over several parts of a file can be detected.
 
If you do not use the default Gateway Antimalware rules, you can add the rule Remove Partial Content for HTTP(s) Requests to your policy to secure all Windows installations. You can either import the default Gateway Antimalware rule set from the rule set library, or use the attached screenshot to create a rule yourself.

NOTE:  This information was formerly hosted in article KB84520.
CVE-2015-1793

1078983
CVE-2015-1793:
The X509_verify_cert function in crypto/x509/x509_vfy.c in OpenSSL 1.0.1n, 1.0.1o, 1.0.2b, and 1.0.2c does not properly process X.509 Basic Constraints cA values during identification of alternative certificate chains. The result is that it allows remote attackers to spoof a Certification Authority role and trigger unintended certificate verifications via a valid leaf certificate.

For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793
Web Gateway is not vulnerable to this issue. No supported versions of Web Gateway use the affected OpenSSL version.

NOTE:  This information was formerly hosted in article KB85206.
CVE-2016-0800

1124041

CVE-2016-0800:
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data. The result is that it makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a DROWN attack.

For more information, see:
MWG is not affected by this vulnerability because it does not support SSLv2.

NOTE:  This information was formerly hosted in article KB86748
CVE-2015-4000

1067091

CVE-2015-4000:
The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice. The result is that it allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the Logjam issue.
 
For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-4000
 

MWG is not vulnerable to this issue.
All versions of MWG use DH keys with a strength of 1024-bit or greater.

NOTE: This information was formerly hosted in article KB84890.
CVE-2015-3197

CVE-2016-0701

1119566

CVE-2015-3197:
ssl/s2_srvr.c in OpenSSL 1.0.1 before 1.0.1r and 1.0.2 before 1.0.2f does not prevent use of disabled ciphers, which makes it easier for man-in-the-middle attackers to defeat cryptographic protection mechanisms by performing computations on SSLv2 traffic, related to the get_client_master_key and get_client_hello functions.

For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197

CVE-2016-0701:
The DH_check_pub_key function in crypto/dh/dh_check.c in OpenSSL 1.0.2 before 1.0.2f does not ensure that prime numbers are appropriate for Diffie-Hellman (DH) key exchange. The result is that it makes it easier for remote attackers to discover a private DH exponent by making multiple handshakes with a peer that chose an inappropriate number, as shown by a number in an X9.42 file.

For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0701
 

MWG is not vulnerable to these issues:

MWG has already set SSL_OP_NO_SSLv2 in all places, so MWG is not vulnerable to CVE-2015-3197.

MWG uses OpenSSL 1.0.1p-1, which is not vulnerable to CVE-2016-0701 because the version does not support X9.42-based parameters. MWG imported a fixed OpenSSL package in the following versions:
  • 7.5.2.6
  • 7.6.1.1
  • 7.6.2

NOTE:  This information was formerly hosted in article KB86552.

Solution

NOTE: Any future product functionality or releases mentioned in the Knowledge Base are intended to outline our general product direction and should not be relied on, either as a commitment, or when making a purchasing decision.

Attachment

RemovePartialDownloads.zip
78K • < 1 minute @ broadband


Rate this document

Beta Translate with

Select a desired language below to translate this page.

Glossary of Technical Terms


 Highlight Glossary Terms

Please take a moment to browse our Glossary of Technical Terms.