[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] DSA-2019-025: RSA Archer GRC Platform Multiple Vulnerabilities

To: <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] DSA-2019-025: RSA Archer GRC Platform Multiple Vulnerabilities
From: <secure@xxxxxxxx>
Date: Thu, 28 Feb 2019 19:38:02 +0000

Restricted - Confidential

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

DSA-2019-025: RSA Archer GRC Platform Multiple Vulnerabilities

Dell EMC Identifier: DSA-2019-025

CVE Identifier: CVE-2019-3705, CVE-2019-3706


Severity Rating: See below for scores of individual CVEs


Affected Products:

RSA Archer versions prior to 6.5 P1 (CVE-2019-3705)
RSA Archer versions prior to 6.5 P2 (CVE-2019-3706)

Summary:
RSA Archer has fixes available for multiple security vulnerabilities that could 
potentially be exploited by malicious users to compromise the affected system.
Details:
RSA Archer product has been updated to address the following vulnerabilities:
*             Information Exposure Vulnerability (CVE-2019-3705)

RSA Archer versions, prior to 6.5 SP1, contain an information exposure 
vulnerability. Users' session information is logged in plain text in the RSA 
Archer log files. An authenticated malicious local user with access to the log 
files may obtain the exposed information to use it in further attacks.

CVSSv3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


*             Information Exposure Vulnerability (CVE-2019-3706)

RSA Archer versions, prior to 6.5 SP2, contain an information exposure 
vulnerability. The database connection password may get logged in plain text in 
the RSA Archer log files. An authenticated malicious local user with access to 
the log files may obtain the exposed password to use it in further attacks.

CVSSv3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Recommendation:
For CVE-2019-3705, the following RSA Archer releases contain a resolution for 
this vulnerability:
*             RSA Archer version 6.5 P1 (6.5.0.1)
*             RSA Archer version 6.5 P2 (6.5.0.2) [6.5 P2 contains the items 
fixed in 6.5 P1]
*             RSA Archer version 6.4 SP1 P5 (6.4.1.5)

For CVE-2019-3706, the following RSA Archer releases contain a resolution for 
this vulnerability:
*             RSA Archer version 6.5 P2 (6.5.0.2)
*             RSA Archer version 6.4 SP1 P5 (6.4.1.5)


RSA recommends all customers upgrade at the earliest opportunity.

Severity Rating
For an explanation of Severity Ratings, refer to the Security Advisories 
Severity Rating (https://community.rsa.com/docs/DOC-47147) knowledge base 
article. RSA recommends all customers take into account both the base score and 
any relevant temporal and environmental scores which may impact the potential 
severity associated with particular security vulnerability.

Legal Information
Read and use the information in this RSA Security Advisory to assist in 
avoiding any situation that might arise from the problems described herein. If 
you have any questions regarding this advisory, contact RSA Technical Support 
(https://community.rsa.com/docs/DOC-1294). RSA Security LLC and its affiliates, 
including without limitation, its ultimate parent company, Dell Technologies, 
distribute RSA Security Advisories in order to bring to the attention of users 
of the affected RSA products, important security information. RSA recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. The information set forth 
herein is provided "as is" without warranty of any kind. RSA disclaims all 
warranties, either express or implied, including the warranties of 
merchantability, fitness for a particular purpose, title and non-infringement. 
In no event shall RSA, its affiliates or its suppliers, be liable for any dam
 ages wha
 tsoever including direct, indirect, incidental, consequential, loss of 
business profits or special damages, even if RSA, its affiliates or its 
suppliers have been advised of the possibility of such damages. Some 
jurisdictions do not allow the exclusion or limitation of liability for 
consequential or incidental damages, so the foregoing limitation may not apply.
Dell Product Security Incident Response Team
secure@xxxxxxxx
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEP5nobPoCj3pTvhAZgSlofD2Yi6cFAlx4N6AACgkQgSlofD2Y
i6dXzQ//XHQsdsvdDqGc85jOTtTRZ0VWhxe3g76dAW7u5tmKt8dyHZF4QqaXtc/p
qKRdrWl6SK/ajzxhnF7PaMmLLLAYnHBzL56Vo0ZTjcXD/8rMfTh+WX8v/M06TOjG
UgJTdtVGKILsBGmuViwVtvpTLsmeVhbhq34dbMscLhrgjwvrTmsCW3Zv+6w4/x5G
umlHR8f+asAYs/JKJ3IvFo5i/v1wKoXsFQVXN8RtySzRVKX+Jx3fsqfCnC+cj4cz
6SnaOPQMBRTPzev4vcWGR4HxoQjE6vl3xgKYyi1bAQf6sZnZpVvzmvPi6OZDfV9q
jm+32qvMbwjH2L0POwk7djnmaeZ9qRM3cYihHRJhuOaqW4UyVxhy7ZwZIXeYwOX4
lGiyqt6gtGpUjAFgI1qycGOzVu4W1pZhmIAPRk5KYFapr3BEmgWoDwrvjF7QqRq8
wt5J1Us6XWc4D+wqMIo7YZmnvO9Bz73oxBKqvZXNUJSxfQroAQhcG4DJy+TH+nC7
MWMH2EEdhL5ibCog6AMRksMmU08Cw2gIvKnotOgRIPUnirlfn22IpukqV2prBrHH
zOoHOLRx865jPqPPHb4Tp+DvGDwtscwiGyI9AaeemutPbUhlibP/vMyQh8wKItCl
F+iHsckY/7Mh2/FH3a0vWb57edaT4lPgvt8JwwP4OfE+a7qXpuA=
=lmP4
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] [CVE-2019-9206, CVE-2019-9207] Cross Site Scripting in PRTG Network Monitor v7.1.3.3378
Next by Date: [FD] DSA-2019-038: RSA® Authentication Manager Insecure Credential Management Vulnerability
Previous by thread: [FD] [CVE-2019-9206, CVE-2019-9207] Cross Site Scripting in PRTG Network Monitor v7.1.3.3378
Next by thread: [FD] DSA-2019-025: RSA Archer GRC Platform Multiple Vulnerabilities
Index(es):
- Date
- Thread