May 17, 2004
Some Blue Coat Systems products have a problem that can result in revealing the private key associated with an imported certificate.
Importing a private key through the web-based administrative interface (the management console) results in the private key and its pass-phrase being logged in cleartext on the device. Certain device configurations or administrator actions can result in this information being revealed outside the appliance.
Note that importing a private key via the command-line interface does not expose the private key - this problem is specific to the browser-based interface.
Customers using these products that have imported a private key through the web-based administrative interface should be aware that the key may have been compromised and are advised to generate a new key pair and certificate, and to replace the existing key pair/certificate with the new one. The existing certificate should be revoked; customers should contact their certificate authority for revocation requirements and procedures.
The new key should be imported via the command line interface if using one of the affected releases.
Affected Systems:
SG 3.x
Fixed in:
SGOS obtain patch release here
SGOS obtain patch release here
Additional Information:
For more information, please contact the Blue Coat Support Department.
United States Domestic: 866.362.2628
Domestic/International Calls: 408.220.2270
Asia Pacific Rim: 81.3.5425.8492