Notified: October 19, 2009 Updated: December 05, 2011
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 06, 2009 Updated: December 17, 2009
Statement Date: December 17, 2009
Affected
Regarding US-CERT Vulnerability Note VU# 261869, AEP Netilla currently mitigates exposure because of its secure design. By default, AEP Netilla is “locked down” meaning all access to and from Netilla is denied. All types of access must be explicitly granted. Thus, when a Web reverse proxy application is configured on Netilla, users cannot access the application and Netilla will not allow the connection to the application until policies that grant access are created. Details such as whether or not to allow cookies are part of the connection access policy. Because all access to and from Netilla is denied by default, any attempt to direct a user to an attacker created web page will be denied. Netilla is also protected from the other method described in the Vulnerability Note where user key strokes are trapped in a hidden frame. When that frame attempts to send out the captured data, the data is re-written to go to Netilla where Netilla's policy checking engine will drop the data. AEP recommends that Netilla customers only add access rules for known trusted sites. If customers require access to servers outside of their control AEP recommends that they only configure policy rules that grant the absolute minimal access needed and can further mitigate the risk with these application policy settings: Cookie Support = No; JavaScript Handling = Delete; Vbscript Handling = Delete; and Host Name Hiding, a system-wide configuration setting, should be left at the default option = Do Not Hide.
The vendor has not provided us with any further information regarding this vulnerability.
CERT/CC has listed AEP Networks as vulnerable because certain configurations are subject to the issues described in the note. Administrators are encouraged to review their deployment for applicability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 24, 2009 Updated: December 04, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: September 15, 2009 Updated: December 16, 2009
Affected
No statement is currently available from the vendor regarding this vulnerability.
Checkpoint has posted the following information: https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk43265
Notified: September 24, 2009 Updated: December 17, 2009
Statement Date: December 04, 2009
Affected
The limitations described in VU#261869 affect all vendors offering a truly Clientless SSL VPN solution, including Cisco. Cisco has published a Security Activity Bulletin that provides additional information at the following link: http://tools.cisco.com/security/center/viewAlert.x?alertId=19500 This bulletin includes links to documentation that guide customers on how to properly configure Clientless SSL VPN deployments for the purpose of accessing trusted resources to avoid getting in to a situation which may cause concern. Cisco Secure Desktop (CSD) is a multifunctional component of the Cisco SSL VPN solution that can also be used with Clientless connections to protect against these security risks. Additionally, customers can use the Cisco AnyConnect client. Cisco Anyconnect provides remote end users with support of applications and functions unavailable to a clientless, browser-based SSL VPN connection. Information about CSD and AnyConnect can be found at: http://www.cisco.com/go/sslvpn.
Cisco has published information about this issue at: http://tools.cisco.com/security/center/viewAlert.x?alertId=19500 http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html#wp999589 http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/webvpn.html#wp999589 http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp999589 http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/svc.html#wp1101982 http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/svc.html#wp1079707 http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html#wp1081849
Notified: September 24, 2009 Updated: December 16, 2009
Affected
No statement is currently available from the vendor regarding this vulnerability.
Citrix has published the following article: http://support.citrix.com/article/CTX123610
Notified: October 19, 2009 Updated: December 17, 2009
Statement Date: October 23, 2009
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: December 04, 2009
Statement Date: October 26, 2009
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: September 16, 2009 Updated: September 16, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: December 04, 2009
Statement Date: October 19, 2009
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: December 04, 2009
Statement Date: December 03, 2009
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: October 19, 2009 Updated: December 15, 2009
Statement Date: December 15, 2009
Not Affected
ISS is NOT affected by this issue.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 24, 2009 Updated: December 17, 2009
Statement Date: November 30, 2009
Affected
Please see Juniper Networks Product Security Notification PSN-2009-11-580: https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2009-11-580&viewMode=view
Juniper has also published the following information: Juniper Networks recommendations for mitigating VU#261869: http://kb.juniper.net/KB15799 Users are encouraged to review this knowledge base article and apply the workarounds they describe.
Notified: September 24, 2009 Updated: October 01, 2009
Statement Date: September 29, 2009
Not Affected
The Kerio Clientless SSL-VPN is intended to access files on the network where it is deployed. It by design does not work as a reverse HTTP proxy and it does not create nor modify HTTP cookies of other web services. As such it is not affected by the described vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 15, 2009 Updated: December 04, 2009
Statement Date: October 22, 2009
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: September 24, 2009 Updated: December 07, 2009
Statement Date: December 05, 2009
Affected
If customer chooses co-host resources of a different trust (different web applications and ssl-vpn internal application/portal) this situation can arise. Although there is another choice that customer can make - use a separate domain for each application. The trade-off is cost vs security - using dedicated domain names, requires wild-card certificates, and multiple dns registrations. We encourage our customers to go with this solution, but as always customers have the right to choose cost of deployment over security. While we agree with the less secure option this may pose an issue in certain deployments. With the more secure option available we feel that this is not a vulnerability in our products.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 20, 2009 Updated: October 20, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: December 16, 2009
Affected
No statement is currently available from the vendor regarding this vulnerability.
Nortel has published the following advisory: http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=984744
Notified: September 24, 2009 Updated: December 04, 2009
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: November 13, 2009 Updated: December 17, 2009
Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
The web-based OpenVPN ALS (formerly Adito) could be affected by these issues when using a replacement proxy forward or multiple reverse proxy forwards. The scope of VPN session cookie stealing can be limited by enabling the Verify Client Address option. Tunneled web forwards are not affected. Please note that OpenVPN ALS is separate from the traditional TUN/TAP client-based OpenVPN, which is not affected by this issue.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: December 04, 2009
Statement Date: October 20, 2009
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: December 04, 2009
Statement Date: December 04, 2009
Not Affected
Q1 is not affected by VU#261869
The vendor has not provided us with any further information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: December 04, 2009
Statement Date: October 28, 2009
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: October 19, 2009 Updated: December 03, 2009
Statement Date: November 13, 2009
Affected
No statement is currently available from the vendor regarding this vulnerability.
SafeNet has issued Security Bulletin 111009-1, "SafeWord 2008 -- SecureWire Access Gateway SSL VPN Vulnerability." This document can be viewed from the SafeNet technical support website.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 15, 2009 Updated: December 04, 2009
Statement Date: December 01, 2009
Affected
No statement is currently available from the vendor regarding this vulnerability.
SonicWall has published the following information in response to this issue: Main Support Page: http://www.sonicwall.com/us/Support.html SonicWALL E-Class SSL VPN: http://www.sonicwall.com/us/2123_14882.html SonicWALL SSL VPN: http://www.sonicwall.com/us/2123_14883.html Users are encouraged to review these bulletins and apply the workarounds they describe.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: December 17, 2009
Statement Date: December 03, 2009
Affected
Stonesoft has published a Security Advisory on this issue. The advisory is available at Stonesoft's web site: http://www.stonesoft.com/en/support/security_advisories/2009_03_12.html
The vendor has not provided us with any further information regarding this vulnerability.
Notified: October 19, 2009 Updated: December 08, 2009
Statement Date: December 05, 2009
Affected
Sun Java System Portal Server Secure Remote Access can be configured to be not vulnerable to CVE-2009-2631. Secure Remote Access Gateway offers client-less SSL VPN functionality. It rewrites the URLs only for explicitly configured domains and subdomains. Hence it is not vulnerable to attacks launched from the Internet. Access to domains or hosts within the intranet can be further controlled by Allow/Deny access list to restrict access to only trusted internal sites.
Sun has published the following information: http://blogs.sun.com/security/entry/portal_server_is_not_vulnerable
CERT/CC has listed Sun Microsystems as vulnerable because certain configurations are subject to the issues described in the note.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 15, 2009 Updated: September 15, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: September 25, 2009 Updated: October 02, 2009
Not Affected
No statement is currently available from the vendor regarding this vulnerability.
The vendor has not provided us with any further information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.
Notified: October 19, 2009 Updated: October 19, 2009
Unknown
No statement is currently available from the vendor regarding this vulnerability.
We are not aware of further vendor information regarding this vulnerability.