Two vulnerabilities in RSA Identity Governance and Lifecycle



Published: 2017-07-13
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2017-8004
CVE-2017-8005
CWE-ID CWE-20
CWE-79
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
RSA Via Lifecycle and Governance
Client/Desktop applications / Encryption software

RSA Identity Governance and Lifecycle
Client/Desktop applications / Encryption software

RSA Identity Management and Governance
Client/Desktop applications / Encryption software

Vendor RSA

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Arbitrary file upload

EUVDB-ID: #VU7495

Risk: Low

CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-8004

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker with administrator privileges to upload arbitrary files.

The weakness exists due to insufficient validation of user-supplied input. A remote attacker can upload a specially crafted file that may contain a malicious code and execute it on the system.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation

Update RSA Identity Governance and Lifecycle to versions 7.0.1 P03, 7.0.2 P01.
Update RSA Via Lifecycle and Governance to version 7.0.1 P03.
Update RSA Identity Management and Governance (RSA IMG) to version 7.0.1 P03.

Vulnerable software versions

RSA Via Lifecycle and Governance: 7.0

RSA Identity Governance and Lifecycle: 7.0.1 - 7.0.2

RSA Identity Management and Governance: 6.9.1

External links

http://seclists.org/fulldisclosure/2017/Jul/24


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Cross-site scripting

EUVDB-ID: #VU7496

Risk: Low

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-8005

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Exploit availability: No

Description

The disclosed vulnerability allows a remote authenticated attacker to perform cross-site scripting (XSS) attacks.

The vulnerability is caused by incorrect filtration of input data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in victim’s browser in security context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Update RSA Identity Governance and Lifecycle to versions 7.0.1 P03, 7.0.2 P01.
Update RSA Via Lifecycle and Governance to version 7.0.1 P03.
Update RSA Identity Management and Governance (RSA IMG) to version 6.9.1 P23.

Vulnerable software versions

RSA Via Lifecycle and Governance: 7.0

RSA Identity Governance and Lifecycle: 7.0.1 - 7.0.2

RSA Identity Management and Governance: 6.9.1

External links

http://seclists.org/fulldisclosure/2017/Jul/24


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###