Initial Publication Date: Advisory Status: Advisory Severity: Legacy ID
3 Feb 2006 Closed Medium
An error has been identified in SGOS version 4.1 that can cause policy which blocks CONNECT requests (implicitly or explicitly) to be ignored under certain circumstances. Instead of blocking the traffic, it is allowed.
This can lead to an open TCP proxy.
SG 4.1.4 or Higher
Workaround for ProxySG:
Place the following policy rule in the beginning of every VPM Web Access layer or CPL Proxy layer that contains an ALLOW, DENY or EXCEPTION action:
http.method=CONNECT url.port=!443 DENY
Adding this in a layer by itself will not workaround the issue, it must be added to the beginning of every Web Access or Proxy layer.