[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ESA-2017-064: RSA Identity Governance and Lifecycle Multiple Vulnerabilities
- To: "'bugtraq@xxxxxxxxxxxxxxxxx'" <bugtraq@xxxxxxxxxxxxxxxxx>, "DM@xxxxxxxxxxxxxxxxx" <DM@xxxxxxxxxxxxxxxxx>
- Subject: ESA-2017-064: RSA Identity Governance and Lifecycle Multiple Vulnerabilities
- From: EMC Product Security Response Center <Security_Alert@xxxxxxx>
- Date: Thu, 8 Jun 2017 17:48:41 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
EMC Identifier: EMC-2017-064
CVE Identifier: CVE-2017-5003, CVE-2017-5004
Severity Rating: CVSS v3 Base Score: Please view details below for individual
CVE scores.
Affected Products:
?RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels
?RSA Via Lifecycle and Governance version 7.0, all patch levels
?RSA Identity Management and Governance (RSA IMG) versions 6.9.1, all patch
levels
Summary:
RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA
IMG contain fixes for multiple security vulnerabilities that could potentially
be exploited by malicious users to compromise an affected system.
Details:
Reflected Cross Site Scripting Vulnerabilities (CVE-2017-5003)
The RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and
RSA IMG products are affected by multiple reflected cross-site scripting
vulnerabilities. An unauthenticated remote attacker may potentially exploit
these vulnerabilities to execute arbitrary HTML in the user?s browser session
in the context of the affected system.
CVSSv3 Base Score: 8.2/High (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)
Stored Cross Site Scripting Vulnerabilities (CVE-2017-5004)
The RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and
RSA IMG products are affected by multiple stored cross-site scripting
vulnerabilities. A low privileged remote attacker may potentially exploit
these vulnerabilities to execute arbitrary HTML in the user?s browser session
in the context of the affected system.
CVSSv3 Base Score: 7.6/High (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N)
Recommendation:
The following RSA Identity Governance and Lifecycle, RSA Via Lifecycle and
Governance and RSA IMG releases contain resolutions to these vulnerabilities:
?RSA Identity Governance and Lifecycle 7.0.2: 7.0.2 P01 or later
?RSA Identity Governance and Lifecycle 7.0.1: 7.0.1 P03 or later
?RSA Via Lifecycle and Governance 7.0: Requires upgrading to 7.0.1 P03 or later
?RSA Identity Management and Governance 6.9.1: 6.9.1 P23 or later
RSA recommends all customers upgrade at the earliest opportunity.
Customers can obtain the documentation and software for these releases by
downloading them from the Downloads area on RSA Identity Governance and
Lifecycle space of RSA Link.
Credits:
RSA would like to thank Lukasz Plonka for reporting this vulnerability.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZOY09AAoJEHbcu+fsE81ZgQgH/R09z8L9gNLFaXwEzKB0/93N
ECsRg9kCuiQcCD9GVH51K8k/b+QIN9nHKPNphRhGn9EVuQi/oMIxCN6ZydNA0AXc
vodwfjPtVKPivE9lSm2YmHXGIHwwW5Cl+ndqWzcy4j9Ep4VCZGAzbxKHct82VoSV
gaoODYePstbwto/g6SfigWGK73eb9AjzpK1HYj34sWYFN7N+Uy2pfBTAJz+9sQGq
N74UTErIIAz6+WICZ8eHHu9ap6qoznR7jJ5vX/Tnq59vxOPfYQGlyVmG4Gnp5g8M
vYmKA5Kpre/hlJUsGvNS7s0xmV+e51CzGzu8Q0XeLsLWhQtTY4Zd6ZORx5+qWbQ=
=wmOY
-----END PGP SIGNATURE-----