Appgate SDP Security Advisories
If you believe you have identified a security concern with Appgate SDP please contact appgate-security@appgate.com
Re: Apache Log4j vulnerability
Appgate SDP v5.1.x - v5.5.x are NOT affected by the Log4j vulnerability.
While the log4j library is included in the Appgate SDP appliance build, its ONLY use is in the open source Elasticsearch component of the LogServer. Elastic has confirmed that Elasticsearch is NOT affected by the Log4j vulnerability (but have identified a related minor information leakage issue). Versions 5.4.6 and 5.5.2 contain the updated 2.17.1 version of Log4j.
We strongly recommend that our secure deployment recommendations are followed - specifically that the LogServer should never be exposed to the internet, but only accessible to other components of the SDP system and to authorized, authenticated users.
Title | ID | Severity | Products Affected | First Published | Last Published |
---|---|---|---|---|---|
Log4j 2 VulnerabilityPDF | 2021-12-0001 | Minor | Appgate SDP LogServer versions up to and including 5.5.1 | 2021-12-13 | 2022-01-05 |
Scripting Engine Sandbox BypassPDF | 2021-11-0001 | Medium (CVSS 6.6) | Appgate SDP Controller and Gateway versions prior to 5.5.1 | 2021-12-07 | 2021-12-07 |
Privilege Escalation on Appgate SDP Clients for LinuxPDF | 2021-06-0001 | High (CVSS 7.5) | Appgate SDP Client for Linux versions prior to 5.4.2 | 2021-06-14 | 2021-06-14 |
Security Fix and Cumulative Improvements for Appgate SDP Clients for WindowsPDF | 2021-04-0002 | Medium (CVSS 5.5) | Appgate SDP full Clients for Windows versions prior to 5.4.0 | 2021-04-27 | 2021-04-27 |
Information Disclosure from Appgate SDP ControllersPDF | 2021-04-0001 | High (CVSS 8.5) | Appgate SDP Controller versions prior to 5.3.3 (except 5.2.4) | 2021-04-15 | 2021-04-23 |
Cumulative Security Fixes and Improvements for Appgate SDP Clients PDF | 2021-01-0001 | Medium (CVSS 5.5) | Appgate SDP Client versions prior to 5.3.2 | 2021-01-22 | 2021-04-16 |
Default Time-Based OTP Provider Bypass PDF | 2020-11-0001 | Medium (CVSS 6.8) | Appgate SDP Controller versions prior to 5.3.1 | 2020-11-30 | 2020-12-07 |
Privilege Escalation on Appgate SDP Client for Windows PDF | 2020-04-0001 | High (CVSS 7.8) | Appgate SDP full Clients for Windows versions prior to 5.1.1 | 2020-05-01 | 2020-05-01 |
Remote code execution on management interface PDFPDF | 2020-04-0002 | High (CVSS 7.5) | Appgate SDP Controller versions 4.1.0 through 5.0.3, 5.1.0 and 5.1.1 | 2020-05-01 | 2020-05-01 |
Scripting Engine Sandbox BypassPDF | 2019-11-0001 | High (CVSS 7.2) | Appgate SDP Appliances before v5.0.2 | 2019-11-18 | 2019-11-18 |
Remote Privilege Escalation on Windows ClientPDF | 2019-07-0001 | High (CVSS 8.0) | Appgate SDP Client for Windows from v4.1.0 to v4.3.1 | 2019-07-09 | 2019-07-09 |
Controller Impersonation during Appliance CommunicationPDF | 2018-12-0001 | Low (CVSS 3.3) | Appgate SDP Appliances before v4.1.7 | 2018-12-03 | 2018-12-03 |
Privilege Escalation on Windows ClientPDF | 2018-11-0001 | Low | Appgate SDP Client for Windows from v4.1.0 to v4.1.2 | 2018-11-22 | 2018-11-22 |
TCP Stack vulnerability: SegmentSmackPDF | 2018-08-0001 | Low | Appgate SDP before v4.1.2 | 2018-08-09 | 2018-08-09 |
Information Disclosure on Management InterfacePDF | 2018-07-0001 | Low | Appgate SDP from v4.0.0 to v4.0.3 | 2018-07-12 | 2018-07-12 |
SAML Authentication BypassPDF | 2018-03-0001 | Low | Appgate SDP before v3.3.3 | 2018-03-12 | 2018-03-12 |
CPU vulnerability: Meltdown and SpectrePDF | 2018-01-001 | Low | Appgate SDP before v3.3.3 AppGate Classic all versions | 2018-01-08 | 2018-01-08 |
Shell access and information disclosurePDF | 2017-06-0001 | Medium | Appgate Classic before v11.2.7 | 2017-06-08 | 2017-06-08 |
Information Disclosure on Management InterfacePDF | 2017-05-0001 | High | Appgate SDP Controller before v3.1.2 | 2017-05-18 | 2018-07-12 |
Appgate Security Advisories and other Appgate security content are provided on an "as is" basis and do not imply any kind of guarantee or warranty. Your use of the information in these publications or linked material is at your own risk. Appgate reserves the right to change or update this content without notice at any time.