Security updates
Security updates are implemented based on comprehensive inputs from Forcepoint Security Labs, third-party library maintainers, internal research, and customer vulnerability reports to effectively address potential security risks.
Updates | Description | CVE | CWE |
---|---|---|---|
SSL/TLS renegotiation Denial of Service (DoS) vulnerability. | SSL/TLS renegotiation requests were not restricted, allowing attackers to exploit the handshake process and exhaust server resources. This issue is fixed through configuration changes that limit renegotiation and enable secure cryptographic negotiation. | CVE-2009-3555 | CWE-295 |
Stored XSS vulnerability on blockpage/blockOptions.cgi. | A stored cross-site scripting (XSS) vulnerability was identified in the /cgi-bin/blockOptions.cgi and /cgi-bin/blockpage.cgi endpoints,
allowing an attacker to inject malicious scripts. This issue is fixed with user input sanitization to prevent script execution. |
CVE-2025-2274 | CWE-79 |
Multiple vulnerabilities in Apache Tomcat versions 9.0.76 through 9.0.102. | Apache Tomcat needs to be upgraded to version 9.0.104 to fix multiple vulnerabilities, including time-of-check to time-of-use (TOCTOU) race conditions, resource exhaustion, and authentication issues. |
|
|
Multiple vulnerabilities in Apache 2.4.x versions prior to 2.4.60. | Multiple vulnerabilities were identified in Apache HTTP Server versions earlier than 2.4.60, including null pointer dereference, SSRF, and improper handling of URLs and encoding issues. This issue is fixed with an upgrade to version 2.4.60. |
|
|
Multiple vulnerabilities in OpenJDK 8 up to version 8u422. | Multiple vulnerabilities in OpenJDK 8 up to version 8u422 allow attackers to gain unauthorized access to modify or delete critical data. This issue is fixed with an upgrade to the latest available version. |
|
|
Heap buffer overflow in libcurl versions 7.69 to earlier than 8.4.0. | The libcurl version on the remote host has a heap buffer overflow in the SOCKS5 proxy handshake, which attackers could exploit to crash the system or execute code. This issue is fixed with an upgrade to libcurl 8.4.0 or later. | CVE-2023-38545 | CWE-787 |
Apache ZooKeeper upgrade to 3.8.4. | Apache ZooKeeper 3.4.14 has vulnerabilities that allow attackers to monitor znode paths without permission and enable unauthorized users to join the cluster due to an authentication flaw. This issue is fixed with an upgrade to version 3.8.4. |
|
|
Eclipse Jetty DoS vulnerability. | Vulnerabilities in Eclipse Jetty versions 9.4.6.v20170531 to 9.4.36.v20210114, 10.0.0, and 11.0.0 cause high CPU usage and DoS when processing requests with multiple accept headers containing many quality (q) parameters. This issue is fixed with an upgrade to the latest version. |
|
|
Outdated SSL/TLS protocols and Ciphers on port 15873. | The Web Management API on port 15873 in SWG 8.5.5 and earlier allowed insecure SSL/TLS protocols and cipher suites. This issue is fixed by disabling deprecated protocols and aligning with secure configuration guidelines. |
|
|
Multiple vulnerabilities in Apache HTTP Server versions prior to 2.4.59. | Apache HTTP Server versions through 2.4.58 contain input validation flaws and response handling vulnerabilities that could lead to HTTP response splitting and memory exhaustion. This issue is fixed with an upgrade to the latest available version. |
|
|
Cookie injection vulnerability in libcurl versions 7.9.1 to earlier than 8.4.0. | A cookie injection vulnerability in libcurl allows a malicious server to set arbitrary cookies for arbitrary domains. This issue is fixed with an upgrade to the latest available version. | CVE-2023-38546 | None |
Multiple vulnerabilities in Apache HTTP Server versions prior to 2.4.62. | Apache HTTP Server versions earlier than 2.4.62 are affected by multiple vulnerabilities, including improper content handling and Server-Side Request Forgery (SSRF) risks. These issues are fixed with an upgrade to Apache version 2.4.62. |
|
|
Boolean-based SQL injection in Forcepoint web portal. | The Forcepoint web portal’s report generator is vulnerable to a Boolean-based blind SQL injection through the “sortColumnName” and “direction” parameters. This issue is fixed with an update to address the SQL injection vulnerability. | CVE-2023-6453 | None |
Transition to TLS cipher suites recommended by product security team. | TLS 1.3 support has been added starting with version 8.5.7 to align with platform support. This update also adopts the strong cipher suites recommended in the Cryptographic best practices. | None | None |
Missing HTTP security headers in RAPWEB interface. | The RAPWEB interface (web-based admin portal) in Forcepoint Security Manager 8.5.4 SK11 was missing key HTTP security headers on ports 55835 and 55836. This issue is fixed by adding the required headers to enhance web application security. |
|
|
Password disclosure in SWG log database connection. | A flaw in the Log Server’s “Test Connection” feature allowed credentials to be sent in plain text to a remote host when reconfigured. This issue is fixed by improving the authentication mechanism to prevent credential exposure. | None | None |
Eclipse Jetty DoS vulnerability. | Multiple vulnerabilities in Eclipse Jetty could allow attackers to cause denial of service or leak sensitive information through malformed requests, improper parsing, and inadequate input validation. These issues are fixed with an upgrade to the latest available version. |
|
|
Heap read overflow in libcurl versions 7.32.0 to earlier than 8.9.1. | A flaw in libcurl's ASN1 parser could lead to a heap read overflow when processing malformed Generalized Time fields, potentially causing a crash or exposing sensitive memory contents. This issue is fixed in version 8.9.1 through a corrected parser implementation that replaces an earlier incomplete fix. | CVE-2024-7264 | CWE-125 |
Spring Security authorization bypass vulnerability. | In Spring Security versions 5.5.6, 5.6.3, and older unsupported versions, RegexRequestMatcher could be misconfigured in a way that allows authorization
bypass on certain servlet containers. Regular expressions containing . were especially prone to being bypassed. The issue is fixed with an upgrade to
Spring Security version 5.7.14. |
CVE-2022-22978 | CWE-863 |
Multiple Spring Framework vulnerabilities. | Multiple vulnerabilities were identified in Spring Framework versions 3.x and 4.x. These vulnerabilities are fixed with an upgrade to Spring Framework version 5.3.39. |
|
|
Apache Commons Collections Remote Code Execution vulnerability. | A vulnerability in Apache Commons Collections prior to version 3.2.2 allowed remote code execution during object deserialization. This issue is fixed with an upgrade to Commons Collections version 3.2.2. | CVE-2015-7501 | CWE-502 |
c3p0 XXE vulnerability in FSM Web Module. | The FSM web module was vulnerable due to the use of c3p0 version 0.9.5.2 and earlier, which allowed XML External Entity (XXE) attacks during configuration parsing. This issue is fixed by removing the dependency on c3p0. | CVE-2018-20433 | CWE-611 |
For the basic hardware and software requirements for your system to use this product, see System requirements for this version in the Deployment and Installation Center.