Security updates

Security updates are implemented based on comprehensive inputs from Forcepoint Security Labs, third-party library maintainers, internal research, and customer vulnerability reports to effectively address potential security risks.

Table 1. Version 8.5.7 includes the following security updates
Updates Description CVE CWE
SSL/TLS renegotiation Denial of Service (DoS) vulnerability. SSL/TLS renegotiation requests were not restricted, allowing attackers to exploit the handshake process and exhaust server resources. This issue is fixed through configuration changes that limit renegotiation and enable secure cryptographic negotiation. CVE-2009-3555 CWE-295
Stored XSS vulnerability on blockpage/blockOptions.cgi. A stored cross-site scripting (XSS) vulnerability was identified in the /cgi-bin/blockOptions.cgi and /cgi-bin/blockpage.cgi endpoints, allowing an attacker to inject malicious scripts. This issue is fixed with user input sanitization to prevent script execution. CVE-2025-2274 CWE-79
Multiple vulnerabilities in Apache Tomcat versions 9.0.76 through 9.0.102. Apache Tomcat needs to be upgraded to version 9.0.104 to fix multiple vulnerabilities, including time-of-check to time-of-use (TOCTOU) race conditions, resource exhaustion, and authentication issues.
  • CVE-2024-34750
  • CVE-2024-38286
  • CVE-2024-50379
  • CVE-2024-52316
  • CVE-2024-54677
  • CVE-2024-56337
  • CVE-2025-31650
  • CWE-367
  • CWE-391
  • CWE-400
  • CWE-770
Multiple vulnerabilities in Apache 2.4.x versions prior to 2.4.60. Multiple vulnerabilities were identified in Apache HTTP Server versions earlier than 2.4.60, including null pointer dereference, SSRF, and improper handling of URLs and encoding issues. This issue is fixed with an upgrade to version 2.4.60.
  • CVE-2024-36387
  • CVE-2024-38472
  • CVE-2024-38473
  • CVE-2024-38474
  • CVE-2024-38475
  • CVE-2024-38477
  • CVE-2024-39573
  • CWE-116
  • CWE-20
  • CWE-476
  • CWE-918
Multiple vulnerabilities in OpenJDK 8 up to version 8u422. Multiple vulnerabilities in OpenJDK 8 up to version 8u422 allow attackers to gain unauthorized access to modify or delete critical data. This issue is fixed with an upgrade to the latest available version.
  • CVE-2024-20918
  • CVE-2024-20919
  • CVE-2024-20921
  • CVE-2024-20926
  • CVE-2024-20932
  • CVE-2024-20945
  • CVE-2024-20952
  • CWE-276
  • CWE-284
  • NVD-CWE-noinfo
Heap buffer overflow in libcurl versions 7.69 to earlier than 8.4.0. The libcurl version on the remote host has a heap buffer overflow in the SOCKS5 proxy handshake, which attackers could exploit to crash the system or execute code. This issue is fixed with an upgrade to libcurl 8.4.0 or later. CVE-2023-38545 CWE-787
Apache ZooKeeper upgrade to 3.8.4. Apache ZooKeeper 3.4.14 has vulnerabilities that allow attackers to monitor znode paths without permission and enable unauthorized users to join the cluster due to an authentication flaw. This issue is fixed with an upgrade to version 3.8.4.
  • CVE-2024-23944
  • CVE-2023-44981
  • CWE-200
  • CWE-639
Eclipse Jetty DoS vulnerability. Vulnerabilities in Eclipse Jetty versions 9.4.6.v20170531 to 9.4.36.v20210114, 10.0.0, and 11.0.0 cause high CPU usage and DoS when processing requests with multiple accept headers containing many quality (q) parameters. This issue is fixed with an upgrade to the latest version.
  • CVE-2020-27216
  • CVE-2020-27218
  • CVE-2020-27223
  • CVE-2021-28165
  • CVE-2021-28169
  • CVE-2021-3328
  • CVE-2021-34428
  • CWE-125
  • CWE-200
  • CWE-226
  • CWE-378
  • CWE-400
  • CWE-407
  • CWE-613
  • CWE-755
Outdated SSL/TLS protocols and Ciphers on port 15873. The Web Management API on port 15873 in SWG 8.5.5 and earlier allowed insecure SSL/TLS protocols and cipher suites. This issue is fixed by disabling deprecated protocols and aligning with secure configuration guidelines.
  • CVE-2013-2566
  • CVE-2014-3566
  • CVE-2015-2808
  • CVE-2016-2183
  • CVE-2016-6329
  • CWE-200
  • CWE-310
  • CWE-326
  • CWE-327
Multiple vulnerabilities in Apache HTTP Server versions prior to 2.4.59. Apache HTTP Server versions through 2.4.58 contain input validation flaws and response handling vulnerabilities that could lead to HTTP response splitting and memory exhaustion. This issue is fixed with an upgrade to the latest available version.
  • CVE-2023-38709
  • CVE-2024-24795
  • CVE-2024-27316
  • CWE-400
  • CWE-770
Cookie injection vulnerability in libcurl versions 7.9.1 to earlier than 8.4.0. A cookie injection vulnerability in libcurl allows a malicious server to set arbitrary cookies for arbitrary domains. This issue is fixed with an upgrade to the latest available version. CVE-2023-38546 None
Multiple vulnerabilities in Apache HTTP Server versions prior to 2.4.62. Apache HTTP Server versions earlier than 2.4.62 are affected by multiple vulnerabilities, including improper content handling and Server-Side Request Forgery (SSRF) risks. These issues are fixed with an upgrade to Apache version 2.4.62.
  • CVE-2024-40725
  • CVE-2024-40898
  • CVE-2024-39884
  • CWE-668
  • CWE-918
Boolean-based SQL injection in Forcepoint web portal. The Forcepoint web portal’s report generator is vulnerable to a Boolean-based blind SQL injection through the “sortColumnName” and “direction” parameters. This issue is fixed with an update to address the SQL injection vulnerability. CVE-2023-6453 None
Transition to TLS cipher suites recommended by product security team. TLS 1.3 support has been added starting with version 8.5.7 to align with platform support. This update also adopts the strong cipher suites recommended in the Cryptographic best practices. None None
Missing HTTP security headers in RAPWEB interface. The RAPWEB interface (web-based admin portal) in Forcepoint Security Manager 8.5.4 SK11 was missing key HTTP security headers on ports 55835 and 55836. This issue is fixed by adding the required headers to enhance web application security.
  • CVE-2003-1567
  • CVE-2004-2320
  • CVE-2010-0386
  • CWE-16
  • CWE-200
Password disclosure in SWG log database connection. A flaw in the Log Server’s “Test Connection” feature allowed credentials to be sent in plain text to a remote host when reconfigured. This issue is fixed by improving the authentication mechanism to prevent credential exposure. None None
Eclipse Jetty DoS vulnerability. Multiple vulnerabilities in Eclipse Jetty could allow attackers to cause denial of service or leak sensitive information through malformed requests, improper parsing, and inadequate input validation. These issues are fixed with an upgrade to the latest available version.
  • CVE-2021-28165
  • CVE-2022-2047
  • CVE-2022-2048
  • CVE-2023-26048
  • CVE-2023-26049
  • CVE-2023-36479
  • CVE-2023-40167
  • CWE-130
  • CWE-149
  • CWE-20
  • CWE-200
  • CWE-400
  • CWE-410
  • CWE-755
  • CWE-770
  • NVD-CWE-Other
  • NVD-CWE-noinfo
Heap read overflow in libcurl versions 7.32.0 to earlier than 8.9.1. A flaw in libcurl's ASN1 parser could lead to a heap read overflow when processing malformed Generalized Time fields, potentially causing a crash or exposing sensitive memory contents. This issue is fixed in version 8.9.1 through a corrected parser implementation that replaces an earlier incomplete fix. CVE-2024-7264 CWE-125
Spring Security authorization bypass vulnerability. In Spring Security versions 5.5.6, 5.6.3, and older unsupported versions, RegexRequestMatcher could be misconfigured in a way that allows authorization bypass on certain servlet containers. Regular expressions containing . were especially prone to being bypassed. The issue is fixed with an upgrade to Spring Security version 5.7.14. CVE-2022-22978 CWE-863
Multiple Spring Framework vulnerabilities. Multiple vulnerabilities were identified in Spring Framework versions 3.x and 4.x. These vulnerabilities are fixed with an upgrade to Spring Framework version 5.3.39.
  • CVE-2024-22262
  • CVE-2024-38808
  • CWE-918
  • CWE-601
  • CWE-770
Apache Commons Collections Remote Code Execution vulnerability. A vulnerability in Apache Commons Collections prior to version 3.2.2 allowed remote code execution during object deserialization. This issue is fixed with an upgrade to Commons Collections version 3.2.2. CVE-2015-7501 CWE-502
c3p0 XXE vulnerability in FSM Web Module. The FSM web module was vulnerable due to the use of c3p0 version 0.9.5.2 and earlier, which allowed XML External Entity (XXE) attacks during configuration parsing. This issue is fixed by removing the dependency on c3p0. CVE-2018-20433 CWE-611

For the basic hardware and software requirements for your system to use this product, see System requirements for this version in the Deployment and Installation Center.