[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] DSA-2019-025: RSA Archer GRC Platform Multiple Vulnerabilities

To: <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] DSA-2019-025: RSA Archer GRC Platform Multiple Vulnerabilities
From: <secure@xxxxxxxx>
Date: Wed, 6 Mar 2019 20:22:09 +0000

Restricted - Confidential

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

DSA-2019-025: RSA Archer GRC Platform Multiple Vulnerabilities

Dell EMC Identifier: DSA-2019-025

CVE Identifier: CVE-2019-3715, CVE-2019-3716


Severity Rating: See below for scores of individual CVEs


Affected Products:

RSA Archer versions prior to 6.5 P1 (CVE-2019-3715)
RSA Archer versions prior to 6.5 P2 (CVE-2019-3716)

Summary:
RSA Archer has fixes available for multiple security vulnerabilities that could 
potentially be exploited by malicious users to compromise the affected system.
Details:
RSA Archer GRC Platform has been updated to address the following 
vulnerabilities:
*             Information Exposure Vulnerability (CVE-2019-3715)

RSA Archer versions, prior to 6.5 SP1, contain an information exposure 
vulnerability. Users' session information is logged in plain text in the RSA 
Archer log files. An authenticated malicious local user with access to the log 
files may obtain the exposed information to use it in further attacks.

CVSSv3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


*             Information Exposure Vulnerability (CVE-2019-3716)

RSA Archer versions, prior to 6.5 SP2, contain an information exposure 
vulnerability. The database connection password may get logged in plain text in 
the RSA Archer log files. An authenticated malicious local user with access to 
the log files may obtain the exposed password to use it in further attacks.

CVSSv3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Recommendation:
For CVE-2019-3715, the following RSA Archer releases contain a resolution for 
this vulnerability:
*             RSA Archer version 6.5 P1 (6.5.0.1)
*             RSA Archer version 6.5 P2 (6.5.0.2) [6.5 P2 contains the items 
fixed in 6.5 P1]
*             RSA Archer version 6.4 SP1 P5 (6.4.1.5)

For CVE-2019-3716, the following RSA Archer releases contain a resolution for 
this vulnerability:
*             RSA Archer version 6.5 P2 (6.5.0.2)
*             RSA Archer version 6.4 SP1 P5 (6.4.1.5)


RSA recommends all customers upgrade at the earliest opportunity.

Severity Rating
For an explanation of Severity Ratings, refer to the Security Advisories 
Severity Rating (https://community.rsa.com/docs/DOC-47147) knowledge base 
article. RSA recommends all customers take into account both the base score and 
any relevant temporal and environmental scores which may impact the potential 
severity associated with particular security vulnerability.

Legal Information
Read and use the information in this RSA Security Advisory to assist in 
avoiding any situation that might arise from the problems described herein. If 
you have any questions regarding this advisory, contact RSA Technical Support 
(https://community.rsa.com/docs/DOC-1294). RSA Security LLC and its affiliates, 
including without limitation, its ultimate parent company, Dell Technologies, 
distribute RSA Security Advisories in order to bring to the attention of users 
of the affected RSA products, important security information. RSA recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action. The information set forth 
herein is provided "as is" without warranty of any kind. RSA disclaims all 
warranties, either express or implied, including the warranties of 
merchantability, fitness for a particular purpose, title and non-infringement. 
In no event shall RSA, its affiliates or its suppliers, be liable for any dam
 ages wha
 tsoever including direct, indirect, incidental, consequential, loss of 
business profits or special damages, even if RSA, its affiliates or its 
suppliers have been advised of the possibility of such damages. Some 
jurisdictions do not allow the exclusion or limitation of liability for 
consequential or incidental damages, so the foregoing limitation may not apply.
Dell Product Security Incident Response Team
secure@xxxxxxxx
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEP5nobPoCj3pTvhAZgSlofD2Yi6cFAlyAK2cACgkQgSlofD2Y
i6e8shAAmNPo8qsfZZSHyKOqWMxjQ0eU5iJutETZsbZl7kU1nvM2XFOsI0y42Zsb
DeNb4vhgGcKCawwJr1ByZc3T/9Z2/G9gU8Ay+cKUX6hqbNhyg79CzN5yZgU39pVT
jgCga7BOhxomxEBj/EJ2Llcj5KMIvnT+tw1edN6hZpl3HE7Na7EhDagj34pdHhiX
y6mzBHPORpxiB8N6LcvqIOL/4/Va6+i1TA75jS3j9Jt8JZ6ztdhKheba/Ko4Lpsd
CYABjpCLSBXtX+ZOWP9nTyvObAdln50ILDydfojh/pQqEKbPY6J/MQIDi4URzeKf
DlGpb/+0luc3nPe83sRE2t0jQXZpQycCnBUMhCBnRjdiYO0dA9vzhNGSgILEc6us
xYRxUoGF5oNBGa5463kL6ZLlcKy91ibEbqqmVXjN2VLPGug1PxoxVelb/nKm43uE
6ajW1Y217tJ5G2qr7NWo7slb5gR1/8yWmbZk4S8dLIiFzQIGGhyWp5KCoy+lIJQE
Pl/5IRaxUirsvi52NufwQ3wlOcbwZkf7bZgYmzbX7+Oi77EA1xJPprcimsEQIqSH
MheivWk+LyUwIkqvSC6AILVyVVnKyf8lWPKCpe5PNQ0JmS8pVL3I6moNk5qYmgau
ZD8ZwuULI+f8MxK7OAeW4BnigP+nBvBGCrtR9hgwdlSVZL2Qe+8=
=0529
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: Re: [FD] Blog2Social 5.0.2 - Reflected XSS (WordPress Plugin)
Next by Date: [FD] Microsoft Windows .Reg File / Dialog Box Message Spoofing Vulnerability
Previous by thread: [FD] DSA-2019-025: RSA Archer GRC Platform Multiple Vulnerabilities
Next by thread: [FD] DSA-2019-038: RSA® Authentication Manager Insecure Credential Management Vulnerability
Index(es):
- Date
- Thread