'=?iso-8859-1?Q?ESA-2015-078:_RSA=AE_Identity_Management_and_Governance_(I?= =?iso-8859-1?Q?MG)_Insec'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    =?iso-8859-1?Q?ESA-2015-078:_RSA=AE_Identity_Management_and_Governance_(I?= =?iso-8859-1?Q?MG)_Insec
From:       Security Alert <Security_Alert () emc ! com>
Date:       2015-04-29 16:55:14
Message-ID: 37F0BE0896DB1544B5BEFBE34F79D0537046167A () MX103CL01 ! corp ! emc ! com
[Download RAW message or body]

["ESA-2015-078.txt" (text/plain)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2015-078: RSA® Identity Management and Governance (IMG) Insecure Password Reset \
Vulnerability

EMC Identifier: ESA-2015-078

CVE Identifier: CVE-2015-0532

Severity Rating: CVSSv2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Affected Products:  

     -  RSA Identity Management and Governance (IMG) 6.9
     -  RSA IMG 6.9.1

Unaffected Products: 
     -  RSA IMG versions prior to 6.9

Summary:  
RSA IMG contains fixes for an insecure password reset vulnerability that could \
potentially be exploited by malicious users to compromise the affected system  
Details:  
 
RSA IMG implements a password reset process that requires a password reset key to be \
generated along with a new password. A weakness in the password reset process may \
potentially allow malicious users to generate a new password and gain access to the \
system as a privileged user.  
Recommendation: 
The following RSA IMG release contains resolutions to these issues:
     -  RSA IMG 6.9 P04
     -  RSA IMG 6.9.1 P01

RSA strongly recommends all customers upgrade at the earliest opportunity. 


Obtaining Software:
Customers can obtain the documentation and software for this release by downloading \
them from SecurCare Online (SCOL). (https://knowledge.rsasecurity.com)

To download the IMG 6.9.0 patch 04 documentation, including Release Notes, please \
access the "RSA Identity Management & Governance 6.9.0 P04" product documentation \
page (https://knowledge.rsasecurity.com/scolcms/set.aspx?id=10718).  This is \
accessible under the “RSA Identity Management and Governance (formerly Aveksa)” \
product page.

To download the IMG 6.9.0 patch 04 software, after logging into SCOL, you can select \
the "My Support" link at the top of the page or the "Version Upgrades" link on the \
Identity Management and Governance product page.  On either of these pages you will \
be presented with a list of products that you are entitled to based on the RSA \
products you have purchased.  Select the appropriate license link to access the \
available Identity Management & Governance software downloads. If you do not have \
this license in your list of products, then please contact RSA Customer Support.

          My Support link: https://knowledge.rsasecurity.com/scolcms/mysupport.aspx
          IMG Version Upgrades link:  \
https://knowledge.rsasecurity.com/scolcms/sets.aspx?product=rsa_img&_v=upgrades

The IMG version 6.9.1 release will be shown as the "Current" released version.  The \
IMG 6.9.0 patch 04 software is available through the "Archive" tab on that page.


Obtaining Documentation:
To obtain RSA documentation, log on to RSA SecurCare Online at \
https://knowledge.rsasecurity.com and click Products in the top navigation menu. \
Select the specific product whose documentation you want to obtain. Scroll to the \
section for the product version that you want and click the set link.

Severity Rating:
For an explanation of Severity Ratings, refer to the Knowledge Base Article, \
“Security Advisories Severity Rating” at \
https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA \
recommends all customers take into account both the base score and any relevant \
temporal and environmental scores which may impact the potential severity associated \
with particular security vulnerability.

Obtaining More Information:
For more information about RSA products, visit the RSA web site at \
http://www.rsa.com.

Getting Support and Service:
For customers with current maintenance contracts, contact your local RSA Customer \
Support center with any additional questions regarding this RSA SecurCare Note. For \
contact telephone numbers or e-mail addresses, log on to RSA SecurCare Online at \
https://knowledge.rsasecurity.com, click Help & Contact, and then click the Contact \
Us - Phone tab or the Contact Us - Email tab.

General Customer Support Information:
http://www.emc.com/support/rsa/index.htm

RSA SecurCare Online:
https://knowledge.rsasecurity.com

EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major versions. \
Please refer to the link below for additional details.  \
http://www.emc.com/support/rsa/eops/index.htm

SecurCare Online Security Advisories
RSA, The Security Division of EMC, distributes SCOL Security Advisories in order to \
bring to the attention of users of the affected RSA products important security \
information. RSA recommends that all users determine the applicability of this \
information to their individual situations and take appropriate action. The \
information set forth herein is provided "as is" without warranty of any kind. RSA \
disclaim all warranties, either express or implied, including the warranties of \
merchantability, fitness for a particular purpose, title and non-infringement. In no \
event shall RSA or its suppliers be liable for any damages whatsoever including \
direct, indirect, incidental, consequential, loss of business profits or special \
damages, even if RSA or its suppliers have been advised of the possibility of such \
damages. Some states do not allow the exclusion or limitation of liability for \
consequential or incidental damages so the foregoing limitation may not apply.

About RSA SecurCare Notes & Security Advisories Subscription
RSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA sends \
you based on the RSA product family you currently use. If you’d like to stop \
receiving RSA SecurCare Notes & Security Advisories, or if you’d like to change which \
RSA product family Notes & Security Advisories you currently receive, log on to RSA \
SecurCare Online at https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. \
Following the instructions on the page, remove the check mark next to the RSA product \
family whose Notes & Security Advisories you no longer want to receive. Click the \
Submit button to save your selection.

Sincerely,
RSA Customer Support
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlVBDFgACgkQtjd2rKp+ALxxQwCfQins7u6TGcwxJSJwpk56EhOY
ggIAnRH58fOytJr2SjFQ8kI9q2wMJmUi
=MZqw
-----END PGP SIGNATURE-----



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic