000021649 - Buffer overflow security issue in RSA ACE/Agent 5.2 for Web

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000021649
Applies ToRSA ACE/Agent 5.2 for Web
Microsoft Windows Server 2003
IssueBuffer overflow security issue in RSA ACE/Agent 5.2 for Web
CauseRSA ACE/Agent 5.2 for Web allows organizations to customize their deployment with custom graphics and HTML while still keeping the initial functionality of the application. It was found that there are flaws in the way that the RSA ACE/Agent 5.2 for Web ISAPI extension parses requests for template components such that one of the following could be forced by a malicious user:

- Return encoded error messages containing components of the input

- Return subsets of already printed error messages or HTML in the output

- Replay input back through the template parser to allow the external user to manipulate the parsing process

- Abort the connection abruptly
ResolutionThese concerns have been addressed in RSA ACE/Agent 5.3 for Web available for download from http://www.rsasecurity.com/node.asp?id=2807. In circumstances where the version cannot be changed, a maintenance release of RSA ACE/Agent 5.2 for Web is available from RSA Security Customer Support with a reference of tst00042376.
NOTE: This maintenance release is a complete reissue of RSA ACE/Agent 5.2 for Web, and is not just replacement files. Therefore, a complete update to 5.3 is preferable.
Legacy Article IDa24199