DSA-2019-046: RSA Identity Governance and Lifecycle Security Update for Oracle Database Vulnerabilities

Document created by RSA Product Team Employee on Mar 21, 2019Last modified by RSA Product Team Employee on May 23, 2019
Version 8Show Document
  • View in full screen mode
Dell EMC Identifier:

DSA-2019-046

CVE Identifier:See the Details section below
Severity:Critical
Severity Rating:See Advisory
Affected Products:

• RSA Identity Governance and Lifecycle
• RSA Via Lifecycle and Governance

 

Note: This applies only to any deployment using an RSA provided Oracle 12.1.0.2 database, including hardware appliance and software bundle deployments.

 

Unaffected Products:

RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance:
Software-only systems or any deployment where RSA did not provide the database.

Summary:The database components in RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance require a security update to address various vulnerabilities.
Details:

RSA Identity Governance and Lifecycle and RSA Via Lifecycle and Governance have been updated to address the security vulnerabilities below.

 

See the Oracle advisory for more information: https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

 

Note: For more information about any of the Common Vulnerabilities and Exposures (CVEs) mentioned here consult the National Vulnerability Database (NVD) at http://nvd.nist.gov/home.cfm. To search for a CVE, use the database's search utility at http://web.nvd.nist.gov/view/vuln/search.

 

Oracle 12.1.0.2 Updates:

CVE-2014-4290

CVE-2014-4291

CVE-2014-4292

CVE-2014-4293

CVE-2014-4294

CVE-2014-4295

CVE-2014-4296

CVE-2014-4297

CVE-2014-4298

CVE-2014-4299

CVE-2014-4300

CVE-2014-4310

CVE-2014-6452

CVE-2014-6453

CVE-2014-6454

CVE-2014-6455

CVE-2014-6467

CVE-2014-6477

CVE-2014-6537

CVE-2014-6538

CVE-2014-6541

CVE-2014-6542

CVE-2014-6545

CVE-2014-6546

CVE-2014-6547

CVE-2014-6560

CVE-2014-6563

CVE-2014-6567

CVE-2014-6577

CVE-2015-0373

CVE-2015-0455

CVE-2015-0457

CVE-2015-0483

CVE-2015-2595

CVE-2015-2599

CVE-2015-2629

CVE-2015-4740

CVE-2015-4753

CVE-2015-4755

CVE-2015-4794

CVE-2015-4796

CVE-2015-4857

CVE-2015-4863

CVE-2015-4873

CVE-2015-4888

CVE-2015-4900

CVE-2015-4921

CVE-2015-4923

CVE-2016-0461

CVE-2016-0467

CVE-2016-0472

CVE-2016-0499

CVE-2016-0677

CVE-2016-0681

CVE-2016-0690

CVE-2016-0691

CVE-2016-3454

CVE-2016-3479

CVE-2016-3484

CVE-2016-3488

CVE-2016-3489

CVE-2016-3506

CVE-2016-3562

CVE-2016-3609

CVE-2016-5497

CVE-2016-5498

CVE-2016-5499

CVE-2016-5505

CVE-2016-5516

CVE-2016-5555

CVE-2016-5572

CVE-2017-3240

CVE-2017-3310

CVE-2017-3486

CVE-2017-3567

CVE-2017-10120

CVE-2017-10190

CVE-2017-10202

CVE-2017-10261

CVE-2017-10292

CVE-2017-10321

CVE-2018-2575

CVE-2018-3110

CVE-2019-2406

CVE-2019-2547

 

Recommendation:

The Appliance Updater tool's March 2019 release will resolve these issues.

 

RSA recommends all appliance customers install the Appliance Updater to ensure that embedded database components are kept current with security updates and patches.

 

This Appliance Updater supports the RSA Identity Governance and Lifecycle or RSA Via Lifecycle and Governance products which use a RSA provided 12.1.0.2 Oracle database.

 

Customers can obtain the documentation and software by downloading them from the Downloads area on RSA Identity Governance and Lifecycle space of RSA Link.

 

-   RSA Identity Governance and Lifecycle: RSA Identity Governance and Lifecycle Appliance Updater
-   RSA Via L&G: RSA Via Lifecycle and Governance Appliance Updater

Severity Rating:For an explanation of Severity Ratings, refer to Dell’s Vulnerability Disclosure Policy. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.
EOPS Policy:RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.
Legal Information:

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Customer Support. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell Technologies, distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information.

 

RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement.

 

In no event shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes