DSA-2020-140: RSA Identity Governance and Lifecycle Security Update for SUSE Linux Enterprise Server Vulnerabilities

Document created by RSA Product Team Employee on Jun 1, 2020Last modified by RSA Product Team Employee on Jun 1, 2020
Version 2Show Document
  • View in full screen mode
Dell EMC Identifier:DSA-2020-140
CVE Identifier:See Advisory
Severity:Critical
Severity Rating:See NVD (http://nvd.nist.gov/home.cfm) for individual scores for each CVE
Affected Products:

All versions

• RSA Identity Governance and Lifecycle (Hardware Appliance and Virtual Application de-ployments only)
• RSA Via Lifecycle and Governance Lifecycle (Hardware Appliance deployments only)
• RSA IMG Lifecycle (Hardware Appliance deployments only)

 

Note: - The latest patches affect the hardware Appliance and Virtual Application deployments with an RSA supplied SUSE Linux Enterprise Server 11 SP4 or SUSE Linux Enterprise Server 12 SP4 operating sys-tem. For those customers currently using SUSE Linux Enterprise Server 11 SP3 the updater will update you to SUSE Linux Enterprise Server 11 SP4 with all the latest patches. For those customers currently using SUSE Linux Enterprise Server 12 SP3 the updater will update you to SUSE Linux Enterprise Server 12 SP4 with all the latest patches.


Unaffected Products:
• RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG: Software-only systems or any deployment where RSA did not supply the operating system.

Summary:The embedded operating system components in RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG require a security update to address various vulnerabilities.
Details:

RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, and RSA IMG have been updated to address the following security vulnerabilities.

 

SUSE Linux Enterprise Server 11 SP4 OS Updates

CVE-2017-2518      CVE-2017-18509 CVE-2017-18551 CVE-2018-12207 CVE-2018-18508
CVE-2018-20030    CVE-2018-20976 CVE-2019-3690   CVE-2019-8287   CVE-2019-8675
CVE-2019-8696      CVE-2019-9278   CVE-2019-9456   CVE-2019-10220 CVE-2019-11135
CVE-2019-11139     CVE-2019-11745 CVE-2019-12456 CVE-2019-14821 CVE-2019-14835
CVE-2019-14896     CVE-2019-14897 CVE-2019-15118 CVE-2019-15212 CVE-2019-15213
CVE-2019-15216     CVE-2019-15217 CVE-2019-15219 CVE-2019-15291 CVE-2019-15292
CVE-2019-15505     CVE-2019-15678 CVE-2019-15679 CVE-2019-15680 CVE-2019-15807
CVE-2019-15902     CVE-2019-15916 CVE-2019-15927 CVE-2019-16056 CVE-2019-16232
CVE-2019-16233     CVE-2019-16234 CVE-2019-16413 CVE-2019-17052 CVE-2019-17053
CVE-2019-17054     CVE-2019-17055 CVE-2019-17133 CVE-2019-18660 CVE-2019-18675
CVE-2019-19066     CVE-2019-19073 CVE-2019-19074 CVE-2019-19227 CVE-2019-19523
CVE-2019-19524     CVE-2019-19527 CVE-2019-19530 CVE-2019-19531 CVE-2019-19532
CVE-2019-19537     CVE-2019-19768 CVE-2019-19965 CVE-2019-19966 CVE-2019-20096
CVE-2019-1010006 CVE-2020-3898   CVE-2020-5208   CVE-2020-8013   CVE-2020-8492
CVE-2020-8597       CVE-2020-8647   CVE-2020-8648   CVE-2020-8649   CVE-2020-9383
CVE-2020-10942     CVE-2020-11608

SUSE Linux Enterprise Server 12 SP4 OS Updates

CVE-2016-4472   CVE-2017-7890  CVE-2018-10903  CVE-2018-14553 CVE-2018-19869
CVE-2018-20030 CVE-2019-3701  CVE-2019-8625    CVE-2019-8710   CVE-2019-8720
CVE-2019-8743   CVE-2019-8764  CVE-2019-8766    CVE-2019-8769   CVE-2019-8771
CVE-2019-8782   CVE-2019-8783  CVE-2019-8808    CVE-2019-8811   CVE-2019-8812
CVE-2019-8813   CVE-2019-8814  CVE-2019-8815    CVE-2019-8816   CVE-2019-8819
CVE-2019-8820   CVE-2019-8823  CVE-2019-8835    CVE-2019-8844   CVE-2019-8846
CVE-2019-9232   CVE-2019-9278  CVE-2019-9433    CVE-2019-9458   CVE-2019-9674
CVE-2019-11038 CVE-2019-14615 CVE-2019-14896 CVE-2019-14897 CVE-2019-14901
CVE-2019-15213 CVE-2019-15681 CVE-2019-16680 CVE-2019-16994 CVE-2019-18197
CVE-2019-18348 CVE-2019-18808 CVE-2019-19036 CVE-2019-19045 CVE-2019-19051
CVE-2019-19054 CVE-2019-19066 CVE-2019-19318 CVE-2019-19319 CVE-2019-19332
CVE-2019-19338 CVE-2019-19447 CVE-2019-19523 CVE-2019-19524 CVE-2019-19525
CVE-2019-19526 CVE-2019-19527 CVE-2019-19528 CVE-2019-19529 CVE-2019-19530
CVE-2019-19531 CVE-2019-19532 CVE-2019-19533 CVE-2019-19534 CVE-2019-19535
CVE-2019-19536 CVE-2019-19537 CVE-2019-19543 CVE-2019-19767 CVE-2019-19768
CVE-2019-19770 CVE-2019-19965 CVE-2019-19966 CVE-2019-20054 CVE-2019-20095
CVE-2019-20096 CVE-2019-20446 CVE-2019-20503 CVE-2020-1751   CVE-2020-1752
CVE-2020-2732   CVE-2020-3862   CVE-2020-3864   CVE-2020-3865   CVE-2020-3867
CVE-2020-3868   CVE-2020-3898   CVE-2020-3899   CVE-2020-5208   CVE-2020-6805
CVE-2020-6806   CVE-2020-6807   CVE-2020-6811   CVE-2020-6812   CVE-2020-6814
CVE-2020-6819   CVE-2020-6820   CVE-2020-6821   CVE-2020-6822   CVE-2020-6825
CVE-2020-6827   CVE-2020-6828   CVE-2020-6831   CVE-2020-7053   CVE-2020-7217
CVE-2020-8013   CVE-2020-8428   CVE-2020-8492   CVE-2020-8597   CVE-2020-8647
CVE-2020-8648   CVE-2020-8649   CVE-2020-8834   CVE-2020-8992   CVE-2020-9383
CVE-2020-10018 CVE-2020-10029 CVE-2020-10531 CVE-2020-10942 CVE-2020-11494
CVE-2020-11669 CVE-2020-11793 CVE-2020-12243 CVE-2020-12268 CVE-2020-12387
CVE-2020-12388 CVE-2020-12389 CVE-2020-12392 CVE-2020-12393 CVE-2020-12395

 

 

Note - For more information about any of the Common Vulnerabilities and Exposures (CVEs) mentioned here consult the National Vulnerability Database (NVD) at http://nvd.nist.gov/home.cfm. To search for a CVE, use the database's search utility at http://web.nvd.nist.gov/view/vuln/search.

Recommendation:

The Appliance Updater tool's May 2020 releases will resolve these issues and ensures that the embedded OS components are kept current with security updates and patches.

 

RSA recommends all appliance customers who are on SUSE Linux Enterprise Server 11 SP3/SP4 or 12 SP3/SP4 to run the appliance updater as latest patches will be applied to the current installation.

 

This Appliance Updater supports the RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance, or RSA IMG products which use an RSA supplied SUSE Linux Enterprise Server 12 SP3/SP4 or SUSE Linux Enterprise Server 11 SP3/SP4 operating system.

 

Customers can obtain the documentation and software by downloading them from the Downloads area on RSA Identity Governance and Lifecycle space of RSA Link.

• RSA Identity Governance and Lifecycle: RSA Identity Governance and Lifecycle Appliance Updater
• RSA Via L&G: RSA Via Lifecycle and Governance Appliance Updater
• RSA IMG: RSA Identity Management and Governance Appliance Updater

Severity Rating:For an explanation of Severity Ratings, refer to Dell’s Vulnerability Disclosure Policy. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.
EOPS Policy:RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.
Legal Information:

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Customer Support. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell Technologies, distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information.

 

RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement.

 

In no event shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes