SB2015050101 - Multiple vulnerabilities in RSA Identity Management and Governance

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Information disclosure (CVE-ID: CVE-2016-0918)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

EMC RSA Identity Management and Governance before 6.8.1 P25 and 6.9.x before 6.9.1 P15 and RSA Via Lifecycle and Governance before 7.0.0 P04 allow remote authenticated users to obtain User Detail Popup information via a modified URL.

2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2015-0532)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

EMC RSA Identity Management and Governance (IMG) 6.9 before P04 and 6.9.1 before P01 does not properly restrict password resets, which allows remote attackers to obtain access via crafted use of the reset process for an arbitrary valid account name, as demonstrated by a privileged account.

Remediation

Install update from vendor's website.

References

• http://seclists.org/bugtraq/2016/Sep/52
• http://www.securityfocus.com/bid/93108
• http://www.securitytracker.com/id/1036896
• http://packetstormsecurity.com/files/131710/RSA-IMG-6.9-6.9.1-Insecure-Password-Reset.html
• http://seclists.org/bugtraq/2015/Apr/204
• http://www.securitytracker.com/id/1032218