[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] =?iso-8859-1?q?ESA-2017-145=3A_RSA=AE_Authentication_Agent_f?= =?iso-8859-1?q?or_Web_for_Apache
From: EMC Product Security Response Center <Security_Alert () emc ! com>
Date: 2017-11-27 17:04:32
Message-ID: 1BF8853173D9704A93EF882F85952A89372CE1 () MX304CL04 ! corp ! emc ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
ESA-2017-145: RSAŽ Authentication Agent for Web for Apache Web Server Authentication Bypass \
Vulnerability
EMC Identifier: ESA-2017-145
CVE Identifier: CVE-2017-14377
Severity Rating: CVSS v3 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N)
Affected Products:
. RSAŽ Authentication Agent for Web: Apache Web Server version 8.0
. RSAŽ Authentication Agent for Web: Apache Web Server version 8.0.1 prior to Build 618
Summary:
A security vulnerability in RSA Authentication Agent for Web for Apache Web Server could \
potentially lead to authentication bypass.
Details:
Due to an improper input validation flaw in RSA Authentication Agent for Web for Apache Web \
Server, a remote malicious user can potentially bypass user authentication and gain \
unauthorized access to resources protected by the agent. The privilege level of an unauthorized \
user who gains access depends on the authorization policy set by the underlying application \
that is using the agent.
This vulnerability is only present when the RSA Authentication Agent for Web for Apache Web \
Server is configured to use the TCP protocol to communicate with the RSA Authentication Manager \
server. UDP implementation, which is the default configuration, is not vulnerable. Please \
refer to the RSA Authentication Agent 8.x for Web for Apache Web Server Installation and \
Configuration Guide for configuration details.
Recommendation:
The following release contains resolution for this vulnerability:
. RSA Authentication Agent for Web: Apache Web Server version 8.0.1 Build 618
RSA recommends all customers upgrade at the earliest opportunity. RSA Authentication Agent for \
Web for Apache Web Server downloads and documentation can be found at: \
https://community.rsa.com/community/products/securid/authentication-agent-web-apache.
Severity Rating:
For an explanation of Severity Ratings, refer to the Security Advisories Severity Rating \
knowledge base article (https://community.rsa.com/docs/DOC-47147). RSA recommends all customers \
take into account both the base score and any relevant temporal and environmental scores which \
may impact the potential severity associated with particular security vulnerability.
EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major versions. Please \
refer to the Product Version Life Cycle (https://community.rsa.com/docs/DOC-40387) for \
additional details.
RSA Link Security Advisories:
Read and use the information in this RSA Security Advisory to assist in avoiding any situation \
that might arise from the problems described herein. If you have any questions regarding this \
product alert, contact RSA Software Technical Support at 1-800-995-5095. RSA Security LLC and \
its affiliates, including without limitation, its ultimate parent company, Dell Technologies, \
distribute RSA Security Advisories in order to bring to the attention of users of the affected \
RSA products, important security information. RSA recommends that all users determine the \
applicability of this information to their individual situations and take appropriate action. \
The information set forth herein is provided "as is" without warranty of any kind. RSA \
disclaims all warranties, either express or implied, including the warranties of \
merchantability, fitness for a particular purpose, title and non-infringement. In no event \
shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including \
direct, indirect, incidental, consequential, loss of business profits or special damages, even \
if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. \
Some jurisdictions do not allow the exclusion or limitation of liability for consequential or \
incidental damages, so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJaHEOjAAoJEHbcu+fsE81Zp/AH/RW01zyploKpGykRRz2U/Mg8
e8OIeBPr9NQf0SNh9dzAKHHJU2DbGXRog6vKFDAKibYzAVxM3RY3+EpCIvRlH/aZ
1NsSO4NaZMLVEu8IolpeKRxM04k5H5QC15x/N8ZqMKtVK8t/X0hJ2REx9ZdWDZMh
8IbrAkbLjWa4C1dpnqvgxEaeJbL/I6SQd/XLqszcrmejTp278Xr+8WMMGEs+OuJJ
A1TvomRbv1PfCSEH9ukn85fnDsEJev2PXVCtmAJRj9FTEmq8IGRBOTf3hxfrHytb
1iQGpxcFtntjqEukFxpERkvZoJRZ1S251/Utea0DPzSHRLdi8eDB3pZBHOjmGXY=
=rxOj
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic