| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
Statement Date: December 17, 2009
| CVE-2009-2631 | Affected |
Regarding US-CERT Vulnerability Note VU# 261869, AEP Netilla currently mitigates exposure because of its secure design. By default, AEP Netilla is “locked down” meaning all access to and from Netilla is denied. All types of access must be explicitly granted. Thus, when a Web reverse proxy application is configured on Netilla, users cannot access the application and Netilla will not allow the connection to the application until policies that grant access are created. Details such as whether or not to allow cookies are part of the connection access policy. Because all access to and from Netilla is denied by default, any attempt to direct a user to an attacker created web page will be denied. Netilla is also protected from the other method described in the Vulnerability Note where user key strokes are trapped in a hidden frame. When that frame attempts to send out the captured data, the data is re-written to go to Netilla where Netilla's policy checking engine will drop the data. AEP recommends that Netilla customers only add access rules for known trusted sites. If customers require access to servers outside of their control AEP recommends that they only configure policy rules that grant the absolute minimal access needed and can further mitigate the risk with these application policy settings: Cookie Support = No; JavaScript Handling = Delete; Vbscript Handling = Delete; and Host Name Hiding, a system-wide configuration setting, should be left at the default option = Do Not Hide.
CERT/CC has listed AEP Networks as vulnerable because certain configurations are subject to the issues described in the note. Administrators are encouraged to review their deployment for applicability.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
Checkpoint has posted the following information: https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk43265
Statement Date: December 04, 2009
| CVE-2009-2631 | Affected |
The limitations described in VU#261869 affect all vendors offering a truly Clientless SSL VPN solution, including Cisco. Cisco has published a Security Activity Bulletin that provides additional information at the following link: http://tools.cisco.com/security/center/viewAlert.x?alertId=19500 This bulletin includes links to documentation that guide customers on how to properly configure Clientless SSL VPN deployments for the purpose of accessing trusted resources to avoid getting in to a situation which may cause concern. Cisco Secure Desktop (CSD) is a multifunctional component of the Cisco SSL VPN solution that can also be used with Clientless connections to protect against these security risks. Additionally, customers can use the Cisco AnyConnect client. Cisco Anyconnect provides remote end users with support of applications and functions unavailable to a clientless, browser-based SSL VPN connection. Information about CSD and AnyConnect can be found at: http://www.cisco.com/go/sslvpn.
Cisco has published information about this issue at: http://tools.cisco.com/security/center/viewAlert.x?alertId=19500 http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html#wp999589 http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/webvpn.html#wp999589 http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp999589 http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/svc.html#wp1101982 http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/svc.html#wp1079707 http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html#wp1081849
| CVE-2009-2631 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
Citrix has published the following article: http://support.citrix.com/article/CTX123610
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
Statement Date: October 23, 2009
| CVE-2009-2631 | Not Affected |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
Statement Date: October 26, 2009
| CVE-2009-2631 | Not Affected |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
Statement Date: October 19, 2009
| CVE-2009-2631 | Not Affected |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
Statement Date: December 03, 2009
| CVE-2009-2631 | Not Affected |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
Statement Date: December 15, 2009
| CVE-2009-2631 | Not Affected |
ISS is NOT affected by this issue.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
Statement Date: November 30, 2009
| CVE-2009-2631 | Affected |
Please see Juniper Networks Product Security Notification PSN-2009-11-580: https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2009-11-580&viewMode=view
Juniper has also published the following information: Juniper Networks recommendations for mitigating VU#261869: http://kb.juniper.net/KB15799 Users are encouraged to review this knowledge base article and apply the workarounds they describe.
Statement Date: September 29, 2009
| CVE-2009-2631 | Not Affected |
The Kerio Clientless SSL-VPN is intended to access files on the network where it is deployed. It by design does not work as a reverse HTTP proxy and it does not create nor modify HTTP cookies of other web services. As such it is not affected by the described vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
Statement Date: October 22, 2009
| CVE-2009-2631 | Not Affected |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
Statement Date: December 05, 2009
| CVE-2009-2631 | Affected |
If customer chooses co-host resources of a different trust (different web applications and ssl-vpn internal application/portal) this situation can arise. Although there is another choice that customer can make - use a separate domain for each application. The trade-off is cost vs security - using dedicated domain names, requires wild-card certificates, and multiple dns registrations. We encourage our customers to go with this solution, but as always customers have the right to choose cost of deployment over security. While we agree with the less secure option this may pose an issue in certain deployments. With the more secure option available we feel that this is not a vulnerability in our products.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
Nortel has published the following advisory: http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=984744
| CVE-2009-2631 | Not Affected |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
The web-based OpenVPN ALS (formerly Adito) could be affected by these issues when using a replacement proxy forward or multiple reverse proxy forwards. The scope of VPN session cookie stealing can be limited by enabling the Verify Client Address option. Tunneled web forwards are not affected. Please note that OpenVPN ALS is separate from the traditional TUN/TAP client-based OpenVPN, which is not affected by this issue.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
Statement Date: March 17, 2025
| CVE-2009-2631 | Affected |
Please See Palo Alto Advisory PAN-SA-2025-0005
Statement Date: October 20, 2009
| CVE-2009-2631 | Not Affected |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
Statement Date: December 04, 2009
| CVE-2009-2631 | Not Affected |
Q1 is not affected by VU#261869
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
Statement Date: October 28, 2009
| CVE-2009-2631 | Not Affected |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
Statement Date: November 13, 2009
| CVE-2009-2631 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
SafeNet has issued Security Bulletin 111009-1, "SafeWord 2008 -- SecureWire Access Gateway SSL VPN Vulnerability." This document can be viewed from the SafeNet technical support website.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
Statement Date: December 01, 2009
| CVE-2009-2631 | Affected |
No statement is currently available from the vendor regarding this vulnerability.
SonicWall has published the following information in response to this issue: Main Support Page: http://www.sonicwall.com/us/Support.html SonicWALL E-Class SSL VPN: http://www.sonicwall.com/us/2123_14882.html SonicWALL SSL VPN: http://www.sonicwall.com/us/2123_14883.html Users are encouraged to review these bulletins and apply the workarounds they describe.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
Statement Date: December 03, 2009
| CVE-2009-2631 | Affected |
Stonesoft has published a Security Advisory on this issue. The advisory is available at Stonesoft's web site: http://www.stonesoft.com/en/support/security_advisories/2009_03_12.html
There are no additional comments at this time.
Statement Date: December 05, 2009
| CVE-2009-2631 | Affected |
Sun Java System Portal Server Secure Remote Access can be configured to be not vulnerable to CVE-2009-2631. Secure Remote Access Gateway offers client-less SSL VPN functionality. It rewrites the URLs only for explicitly configured domains and subdomains. Hence it is not vulnerable to attacks launched from the Internet. Access to domains or hosts within the intranet can be further controlled by Allow/Deny access list to restrict access to only trusted internal sites.
CERT/CC has listed Sun Microsystems as vulnerable because certain configurations are subject to the issues described in the note. Sun has published the following information: http://blogs.sun.com/security/entry/portal_server_is_not_vulnerable
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Not Affected |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.
| CVE-2009-2631 | Unknown |
No statement is currently available from the vendor regarding this vulnerability.
There are no additional comments at this time.