SYMSA1042

SA15 : Potential Compromise of Private Keys

Last Updated May 17, 2004
Initial Publication Date May 17, 2004
  • Status: Closed
  • Severity: High
  • CVSS Base Score:

Some Blue Coat Products have a problem that can result in revealing the private key associated with an imported certificate.

Importing a private key through the web-based administrative interface (the management console) results in the private key and its pass-phrase being logged in cleartext on the device. Certain device configurations or administrator actions can result in this information being revealed outside the appliance.

Note that importing a private key via the command-line interface does not expose the private key - this problem is specific to the browser-based interface.

Customers using these products that have imported a private key through the web-based administrative interface should be aware that the key may have been compromised and are advised to generate a new key pair and certificate, and to replace the existing key pair/certificate with the new one. The existing certificate should be revoked; customers should contact their certificate authority for revocation requirements and procedures.

The new key should be imported via the command line interface if using one of the affected releases.

SA15

Thanks for your feedback. Let us know if you have additional comments below. (requires login)