3com Inc Unknown

Notified:  October 19, 2009 Updated: December 05, 2011

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

aep NETWORKS Affected

Notified:  November 06, 2009 Updated: December 17, 2009

Statement Date:   December 17, 2009

Status

Affected

Vendor Statement

Regarding US-CERT Vulnerability Note VU# 261869, AEP Netilla currently mitigates exposure because of its secure design. By default, AEP Netilla is “locked down” meaning all access to and from Netilla is denied. All types of access must be explicitly granted. Thus, when a Web reverse proxy application is configured on Netilla, users cannot access the application and Netilla will not allow the connection to the application until policies that grant access are created. Details such as whether or not to allow cookies are part of the connection access policy. Because all access to and from Netilla is denied by default, any attempt to direct a user to an attacker created web page will be denied. Netilla is also protected from the other method described in the Vulnerability Note where user key strokes are trapped in a hidden frame. When that frame attempts to send out the captured data, the data is re-written to go to Netilla where Netilla's policy checking engine will drop the data. AEP recommends that Netilla customers only add access rules for known trusted sites. If customers require access to servers outside of their control AEP recommends that they only configure policy rules that grant the absolute minimal access needed and can further mitigate the risk with these application policy settings: Cookie Support = No; JavaScript Handling = Delete; Vbscript Handling = Delete; and Host Name Hiding, a system-wide configuration setting, should be left at the default option = Do Not Hide.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

CERT/CC has listed AEP Networks as vulnerable because certain configurations are subject to the issues described in the note. Administrators are encouraged to review their deployment for applicability.

Alcatel-Lucent Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Avaya, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Barracuda Networks Unknown

Notified:  September 24, 2009 Updated: December 04, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Check Point Software Technologies Affected

Notified:  September 15, 2009 Updated: December 16, 2009

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Checkpoint has posted the following information: https://supportcenter.checkpoint.com/supportcenter/portal?solutionid=sk43265

Cisco Systems, Inc. Affected

Notified:  September 24, 2009 Updated: December 17, 2009

Statement Date:   December 04, 2009

Status

Affected

Vendor Statement

The limitations described in VU#261869 affect all vendors offering a truly Clientless SSL VPN solution, including Cisco. Cisco has published a Security Activity Bulletin that provides additional information at the following link: http://tools.cisco.com/security/center/viewAlert.x?alertId=19500 This bulletin includes links to documentation that guide customers on how to properly configure Clientless SSL VPN deployments for the purpose of accessing trusted resources to avoid getting in to a situation which may cause concern. Cisco Secure Desktop (CSD) is a multifunctional component of the Cisco SSL VPN solution that can also be used with Clientless connections to protect against these security risks. Additionally, customers can use the Cisco AnyConnect client. Cisco Anyconnect provides remote end users with support of applications and functions unavailable to a clientless, browser-based SSL VPN connection. Information about CSD and AnyConnect can be found at: http://www.cisco.com/go/sslvpn.

Vendor Information

Cisco has published information about this issue at: http://tools.cisco.com/security/center/viewAlert.x?alertId=19500 http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/webvpn.html#wp999589 http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/webvpn.html#wp999589 http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/webvpn.html#wp999589 http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/svc.html#wp1101982 http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/svc.html#wp1079707 http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/svc.html#wp1081849

Vendor References

Citrix Affected

Notified:  September 24, 2009 Updated: December 16, 2009

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Citrix has published the following article: http://support.citrix.com/article/CTX123610

Vendor References

Computer Associates Not Affected

Notified:  October 19, 2009 Updated: December 17, 2009

Statement Date:   October 23, 2009

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Debian GNU/Linux Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

D-Link Systems, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

DragonFly BSD Project Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

EMC Corporation Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Enterasys Networks Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ericsson Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

eSoft, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Extreme Networks Not Affected

Notified:  October 19, 2009 Updated: December 04, 2009

Statement Date:   October 26, 2009

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified:  September 16, 2009 Updated: September 16, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fedora Project Not Affected

Notified:  October 19, 2009 Updated: December 04, 2009

Statement Date:   October 19, 2009

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Force10 Networks, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fortinet, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Foundry Networks, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fujitsu Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Gentoo Linux Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Global Technology Associates Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Hitachi Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM Corporation Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IBM eServer Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Infoblox Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Intel Corporation Not Affected

Notified:  October 19, 2009 Updated: December 04, 2009

Statement Date:   December 03, 2009

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Internet Security Systems, Inc. Not Affected

Notified:  October 19, 2009 Updated: December 15, 2009

Statement Date:   December 15, 2009

Status

Not Affected

Vendor Statement

ISS is NOT affected by this issue.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Intoto Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IP Filter Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

IP Infusion, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Juniper Networks, Inc. Affected

Notified:  September 24, 2009 Updated: December 17, 2009

Statement Date:   November 30, 2009

Status

Affected

Vendor Statement

Please see Juniper Networks Product Security Notification PSN-2009-11-580: https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2009-11-580&viewMode=view

Vendor Information

Juniper has also published the following information: Juniper Networks recommendations for mitigating VU#261869: http://kb.juniper.net/KB15799 Users are encouraged to review this knowledge base article and apply the workarounds they describe.

Kerio Technologies Not Affected

Notified:  September 24, 2009 Updated: October 01, 2009

Statement Date:   September 29, 2009

Status

Not Affected

Vendor Statement

The Kerio Clientless SSL-VPN is intended to access files on the network where it is deployed. It by design does not work as a reverse HTTP proxy and it does not create nor modify HTTP cookies of other web services. As such it is not affected by the described vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Luminous Networks Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

m0n0wall Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Mandriva S. A. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

McAfee Not Affected

Notified:  September 15, 2009 Updated: December 04, 2009

Statement Date:   October 22, 2009

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation Affected

Notified:  September 24, 2009 Updated: December 07, 2009

Statement Date:   December 05, 2009

Status

Affected

Vendor Statement

If customer chooses co-host resources of a different trust (different web applications and ssl-vpn internal application/portal) this situation can arise. Although there is another choice that customer can make - use a separate domain for each application. The trade-off is cost vs security - using dedicated domain names, requires wild-card certificates, and multiple dns registrations. We encourage our customers to go with this solution, but as always customers have the right to choose cost of deployment over security. While we agree with the less secure option this may pose an issue in certain deployments. With the more secure option available we feel that this is not a vulnerability in our products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Multitech, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetApp Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NetBSD Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

netfilter Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Netgear, Inc. Unknown

Notified:  October 20, 2009 Updated: October 20, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nokia Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Nortel Networks, Inc. Affected

Notified:  October 19, 2009 Updated: December 16, 2009

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Nortel has published the following advisory: http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=984744

Novell, Inc. Not Affected

Notified:  September 24, 2009 Updated: December 04, 2009

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

OpenBSD Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenVPN Technologies Affected

Notified:  November 13, 2009 Updated: December 17, 2009

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The web-based OpenVPN ALS (formerly Adito) could be affected by these issues when using a replacement proxy forward or multiple reverse proxy forwards. The scope of VPN session cookie stealing can be limited by enabling the Verify Client Address option. Tunneled web forwards are not affected. Please note that OpenVPN ALS is separate from the traditional TUN/TAP client-based OpenVPN, which is not affected by this issue.

Openwall GNU/*/Linux Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

PePLink Not Affected

Notified:  October 19, 2009 Updated: December 04, 2009

Statement Date:   October 20, 2009

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Process Software Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Q1 Labs Not Affected

Notified:  October 19, 2009 Updated: December 04, 2009

Statement Date:   December 04, 2009

Status

Not Affected

Vendor Statement

Q1 is not affected by VU#261869

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX Software Systems Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Quagga Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

RadWare, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Redback Networks, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Not Affected

Notified:  October 19, 2009 Updated: December 04, 2009

Statement Date:   October 28, 2009

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SafeNet Affected

Notified:  October 19, 2009 Updated: December 03, 2009

Statement Date:   November 13, 2009

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

SafeNet has issued Security Bulletin 111009-1, "SafeWord 2008 -- SecureWire Access Gateway SSL VPN Vulnerability." This document can be viewed from the SafeNet technical support website.

Secureworx, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SmoothWall Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Snort Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Soapstone Networks Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

SonicWall Affected

Notified:  September 15, 2009 Updated: December 04, 2009

Statement Date:   December 01, 2009

Status

Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

SonicWall has published the following information in response to this issue: Main Support Page: http://www.sonicwall.com/us/Support.html SonicWALL E-Class SSL VPN: http://www.sonicwall.com/us/2123_14882.html SonicWALL SSL VPN: http://www.sonicwall.com/us/2123_14883.html Users are encouraged to review these bulletins and apply the workarounds they describe.

Sourcefire Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Stonesoft Affected

Notified:  October 19, 2009 Updated: December 17, 2009

Statement Date:   December 03, 2009

Status

Affected

Vendor Statement

Stonesoft has published a Security Advisory on this issue. The advisory is available at Stonesoft's web site: http://www.stonesoft.com/en/support/security_advisories/2009_03_12.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc. Affected

Notified:  October 19, 2009 Updated: December 08, 2009

Statement Date:   December 05, 2009

Status

Affected

Vendor Statement

Sun Java System Portal Server Secure Remote Access can be configured to be not vulnerable to CVE-2009-2631. Secure Remote Access Gateway offers client-less SSL VPN functionality. It rewrites the URLs only for explicitly configured domains and subdomains. Hence it is not vulnerable to attacks launched from the Internet. Access to domains or hosts within the intranet can be further controlled by Allow/Deny access list to restrict access to only trusted internal sites.

Vendor Information

Sun has published the following information: http://blogs.sun.com/security/entry/portal_server_is_not_vulnerable

Vendor References

Addendum

CERT/CC has listed Sun Microsystems as vulnerable because certain configurations are subject to the issues described in the note.

SUSE Linux Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Symantec Unknown

Notified:  September 15, 2009 Updated: September 15, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

The SCO Group Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Turbolinux Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

U4EA Technologies, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Ubuntu Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Unisys Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

VMware Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vyatta Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Watchguard Technologies, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Webmin Not Affected

Notified:  September 25, 2009 Updated: October 02, 2009

Status

Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ZyXEL Unknown

Notified:  October 19, 2009 Updated: October 19, 2009

Status

Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

View all 90 vendors View less vendors