|Applies To||RSA Product Set: Web Threat Detection|
RSA Product/Service Type: Mitigator
RSA Version/Condition: 5.1 --> 6.0
|Issue||The package RSA WTD (silvertail) uses several open source packages.|
A customer may detect vulnerabilities in the version 5.1x.
The scan may suggest versions certified for RSA WTD 126.96.36.199.
RSA WTD version 5.x uses Required version
Nginx 1.0.15-12 1.8.1
nginx is an HTTP server, reverse proxy, and mail proxy server. nginx is prone to the following security vulnerabilities:
- nginx is prone to a denial-of-service vulnerability. Specifically, this issue occurs because invalid pointer dereference in resolver.[CVE-2016-0742]
- nginx is prone to a denial-of-service vulnerability because use-after-free in resolver during CNAME response processing. [CVE-2016-0746]
- nginx is prone to a denial-of-service vulnerability. Specifically, this issue occurs because insufficient limits of CNAME resolution in resolver. [CVE-2016- 0747] Attackers can exploit these issues to cause denial-of-service conditions.
|Resolution||This issue has been submitted to Product Security report PSRC-3552 and a Jira WTD-5127 |
From this work, it was determined by the Web Threat Detection core team that the nginx server needs to be replaced with version 1.9.10 or the latest stable release.
The next WTD version, which has a planned release for the end of October 2016, will contain the newer nginx release and the vulnerabilities will be resolved.
|Notes||The WTD R&D team notes -- |
- We want to stress that WTD is not customer facing.
- WTD is not deployed on the DMZ or any other areas accessible from outside, i.e. no traffic to/from WTD leaves a safe perimeter.
- It is actually accessed by a few security/threat analysts and the system admin.
- The risk that a malicious user will attack WTD and the system will be crashed is rather low.
- NGINX provides no patches for these issues, but recommends to upgrade to 1.9.10 version.
- From our point of view current situation is not dangerous enough to require an immediate action.
- Upgrading to a new nginx version is not appropriate for current WTD 6.0 implementations as it require changes in installation and deployment processes. This may cause unknown side effects.