Initial Publication Date: Advisory Status: Advisory Severity: CVSS Base Score:Legacy ID
1 Feb 2012 Closed Medium CVSS v2: 6.8 SA68
Reporter uses a version of OpenSSL that has several publicly documented vulnerabilities. The most severe vulnerability allows an attacker to gain complete control over a Reporter installation.
All versions of Reporter prior to 18.104.22.168 and 22.214.171.124 are vulnerable.
Reporter 9.3 - a fix is available in 126.96.36.199.
Reporter 9.2 - a fix is available in 188.8.131.52.
Reporter 9.1 - please upgrade to a later version.
Reporter 8.3 - please upgrade to a later version.
CVE-2011-0014 - CVSS base score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2010-3864- CVSS base score: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
Reporter 184.108.40.206 and 220.127.116.11 use OpenSSL version 0.9.8o. Reporter 18.104.22.168 uses OpenSSL version 0.9.8j. Reporter 22.214.171.124 uses OpenSSL version 0.9.8e. Each version of OpenSSL has several publicly documented vulnerabilities. OpenSSL version 0.9.8e is not vulnerable to CVE-2011-0014, therefore Reporter 126.96.36.199 is not vulnerable.
The most severe vulnerability allows an attacker to gain complete control over a Reporter installation. The attacker can view and modify configuration data as well as data sent to and from Reporter. An attacker can also render Reporter completely unresponsive for administrative control as well as data transmission.
When Reporter is deployed behind a firewall, as is recommended, an attacker must gain access from the internal network in order to mount an attack. The CVSS base scores included in this advisory are based on this deployment scenario.
If Reporter is deployed outside of the firewall. the CVSS base score for all CVEs listed would be higher. The CVSS base score for this security advisory would be a 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C).
Reporter 188.8.131.52 and 184.108.40.206 contain an upgrade to OpenSSL 0.9.8r fixing the CVEs documented in this security advisory.
Blue Coat recommends that Reporter be deployed behind a firewall. Additional constraints on what IP addresses can be used to connect to Reporter will greatly limit the ability to attack a Reporter installation.