[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] =?windows-1252?q?ESA-2017-063=3A_RSA_Archer=AE_GRC_Platform_?= =?windows-1252?q?Multiple_Vulner
From: EMC Product Security Response Center <Security_Alert () emc ! com>
Date: 2017-06-29 19:58:26
Message-ID: 1BF8853173D9704A93EF882F85952A89290669 () MX304CL04 ! corp ! emc ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
ESA-2017-063 RSA Archer® GRC Platform Multiple Vulnerabilities
EMC Identifier: ESA-2017-063
CVE Identifier: CVE-2017-4998,CVE-2017-4999,CVE-2017-5000,CVE-2017-5001,CVE-2017-5002
Severity Rating: CVSSv3 Base Score: Please view details below for individual CVE scores
Affected Products
• RSA Archer version 5.4.1.3
• RSA Archer version 5.5.3.1
• RSA Archer version 5.5.2.3
• RSA Archer version 5.5.2
• RSA Archer version 5.5.1.3.1
• RSA Archer version 5.5.1.1
Summary:
RSA Archer GRC 6.2.0.2 Platform contains fixes for multiple security vulnerabilities that could \
potentially be exploited by malicious users to compromise an affected system.
Details:
Multiple components within the RSA Archer product have been updated to address various \
vulnerabilities:
• Cross-Site Request Forgery Vulnerability - CVE-2017-4998
RSA Archer is potentially affected by a cross-site request forgery vulnerability. A remote low \
privileged attacker may potentially exploit the vulnerability to execute unauthorized requests \
on behalf of the victim, using the authenticated user’s privileges.
CVSSv3 Base Score 7.6(AV:N/AC:L/PR:L/UI:R/S:U/C:H /I:H /A:N)
• Authorization Bypass Through User-Controlled Key Vulnerability – CVE-2017-4999
RSA Archer is affected by an authorization bypass through user-controlled key vulnerability in \
Discussion Forum Messages. A remote low privileged attacker may potentially exploit this \
vulnerability to elevate their privileges and view other users’ discussion forum messages.
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
• Information Disclosure Vulnerability– CVE-2017-5000
RSA Archer is affected by an information exposure through an error message vulnerability. A \
remote low privileged attacker may potentially exploit this vulnerability to use information \
disclosed in an error message to launch another more focused attack.
CVSSv3 Base Score : 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
• Cross Site Scripting Vulnerability– CVE-2017-5001
RSA Archer is affected by an information exposure through an error message vulnerability. A \
remote low privileged attacker may potentially exploit this vulnerability to use information \
disclosed in an error message to launch another more focused attack.
CVSSv3 Base Score : 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
• Open Redirect Vulnerability – CVE-2017-5002
RSA Archer is affected by an open redirect vulnerability. A remote unprivileged attacker may \
potentially redirect legitimate users to arbitrary web sites and conduct phishing attacks. The \
attacker could then steal the victims’ credentials and silently authenticate them to the RSA \
Archer application without the victims realizing an attack occurred.
CVSSv3 Base Score : 4.7 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
Recommendation:
RSA recommends all customers upgrade to the version mentioned below at the earliest \
opportunity.
• RSA Archer GRC 6.2.0.2
For additional documentation, downloads, and more, visit the RSA Archer Suite page on RSA Link.
Severity Rating:
For an explanation of Severity Ratings, refer to the Security Advisories Severity Rating \
knowledge base article. RSA recommends all customers take into account both the base score and \
any relevant temporal and environmental scores which may impact the potential severity \
associated with particular security vulnerability.
EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major versions. Please \
refer to the Product Version Life Cycle for additional details.
RSA Link Security Advisories:
Read and use the information in this RSA Security Advisory to assist in avoiding any situation \
that might arise from the problems described herein. If you have any questions regarding this \
product alert, contact RSA Software Technical Support at 1-800-995-5095. RSA Security LLC and \
its affiliates, including without limitation, its ultimate parent company, Dell Technologies, \
distribute RSA Security Advisories in order to bring to the attention of users of the affected \
RSA products, important security information. RSA recommends that all users determine the \
applicability of this information to their individual situations and take appropriate action. \
The information set forth herein is provided "as is" without warranty of any kind. RSA \
disclaims all warranties, either express or implied, including the warranties of \
merchantability, fitness for a particular purpose, title and non-infringement. In no event \
shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including \
direct, indirect, incidental, consequential, loss of business profits or special damages, even \
if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. \
Some jurisdictions do not allow the exclusion or limitation of liability for consequential or \
incidental damages, so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZVT6QAAoJEHbcu+fsE81ZTMwH/ibN/5TnOnRSQBdX0+BYUrI9
NeJPhsG4ptOTTkRKKEz2lM8ZzhRSXgGXeGrRYWC1v4OIGUQa6eW4zZtCZaC75TUg
Zz67b7NCzupDkVpeUnKIsw9N8nDASxUhKUurTP1mIcSvFcPuuUZlzH76jwaykHDb
5gOlIMoGf2VCM7XR5m8MI88HICZKBOca5TZv5dSAtFMvOGHfnYeiNIJkRwtt7wNZ
RAdWvyVlFjBmbMRjUed0Wa6dZum8oxqUdXAUa1FdgKQp7+bbFxjBblFSS7ry/sv0
jgYM1ExhZeNzWXObNZ0IVvLNgCulltAXLRClnRM1NFfXUYKd3MMLNo1IVdFWtJw=
=GN7j
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic