000033272 - Security Vulnerabilities in RSA Adaptive Authentication on Premise version 7.2 - False Positive

Document created by RSA Customer Support Employee on Jun 14, 2016
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000033272
Applies To

RSA Product Set: Adaptive Authentication On Premise
RSA Product/Service Type: 7.2

CVE IDCVE-2015-3253, CVE-2015-7450, CVE-2016-0788, CVE-2015-8103, CVE-2016-0792
Article Summary

On April 20, 2016, a customer reported security vulnerabilities in RSA Adaptive Authentication on Premise version 7.2 because the application might be using the following .jar files:
commons-collections-3*.jar
commons-collections4*.jar
These vulnerabilities have been assigned the following Common Vulnerabilities and Exposures (CVE) IDs:
1. CVE-2015-3253
2. CVE-2015-7450
3. CVE-2016-0788 
4. CVE-2015-8103
5. CVE-2016-0792

Alert ImpactNot Exploitable
Technical DetailsThe flaw exists but it is not exploitable
Technical Details ExplanationRSA Adaptive Authentication Engineering team investigated these vulnerabilities and found them to be Not Exploitable.

1. CVE-2015-3253
Description:
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.
 
Impact:
MethodClosure.java is NOT USED IN AAOP. Therefore, AAOP is not vulnerable to this.

2. CVE-2015-7450
Description:
Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library.
Impact:
NOT USED IN AAOP. Therefore, AAOP is not vulnerable to this.

3. CVE-2016-0788 

Description:

The remoting module in CloudBees Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to execute arbitrary code by opening a JRMP listener.
 
Impact:
NOT USED IN AAOP. Therefore, AAOP is not vulnerable to this.

4. CVE-2015-8103

Description:

The Jenkins CLI subsystem in CloudBees Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary code via a crafted serialized Java object, related to a problematic webapps/ROOT/WEB-INF/lib/commons-collections-*.jar file and the "Groovy variant in 'ysoserial'
 
Impact:
AAOP does not consume CloudBees Jenkins APIs. Therefore, AAOP is not vulnerable to this.

5. CVE-2016-0792

Description:

Multiple unspecified API endpoints in CloudBees Jenkins before 1.650 and LTS before 1.642.2 allow remote authenticated users to execute arbitrary code via serialized data in an XML file, related to XStream and groovy.util.Expando.
 
Impact:
AAOP does not consume CloudBees Jenkins APIs. Therefore, AAOP is not vulnerable to this.
 

 

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes