Command injection in RSA Identity Governance and Lifecycle

#VU13865 Command injection in RSA Identity Governance and Lifecycle

Published: 2018-07-13

Vulnerability identifier: #VU13865

Vulnerability risk: Low

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-1245

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
RSA Identity Governance and Lifecycle
Client/Desktop applications / Encryption software

Vendor: RSA

Description

The vulnerability allows a remote authenticated attacker to execute arbitrary commands on the target system.

The weakness exists due to insufficient sanitization of user-supplied data. A remote attacker can bypass Java Security Policies to inject and execute arbitrary system commands on the target system with the privileges of the target application.

Mitigation
Update to version 7.0.2 P07, 7.1.0 P01.

Vulnerable software versions

RSA Identity Governance and Lifecycle: 7.0.1 - 7.1.0

External links
http://seclists.org/fulldisclosure/2018/Jul/46

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in RSA Identity Governance and Lifecycle