RSA Product Set: RSA Access Manager
Component Affected: Access Manager Self Service Web Application (axm-selfservice-gui.war)
|Article Summary||The vulnerability, CVE-2017-5638, permits unauthenticated Remote Code Execution (RCE) via a specially crafted Content-Type value in an HTTP request. An attacker can create an invalid value for Content-Type which will cause software to throw an exception (essentially XOR DDoS family).|
|Link to Advisories|
|Alert Impact||Remedy in Progress|
|Technical Details||The RSA product embeds the vulnerable code/component. RSA is working on a solution to address the issue and will provide regular status updates.|
|Technical Details Explanation||Only 6.2 SP4 has a remedy available (Hotfix 6.2.4.04), waiting on the remedy for the other affected versions.|
|Resolution||For RSA Access Manager version 6.2sp4: A Hotfix has been released that upgrades the Apache Struts component and dependencies to versions not affected by the vulnerability. Contact RSA Customer Support to obtain the latest patch.|
For 6.2 SP4, obtain and apply Hotfix 6.2.4.04.
For all other versions of RSA Access Manager (6.2, 6.2 SP1, 6.2 SP2, 6.2 SP3): Hotfixes will be made available after development and testing. Contact RSA Customer support to obtain the latest information regarding these versions. For customers in need of an immediate resolution where a hotfix is not available, a manual workaround can be completed to replace the affected jar(s) and dependencies.
Workaround (where hotfixes are not available):
1. First, upgrade to the latest patch for your service pack that includes the selfservice.war file:
For 6.2, upgrade to 126.96.36.199
For 6.2.1, upgrade to 6.2.1.08
For 6.2.2, upgrade to 6.2.2.05 then 6.2.2.09
For 6.2.3, upgrade to 6.2.3.06
After patching the above versions use the following steps to manually replace the struts jars and dependencies.
2. Undeploy the axm-selfservice-gui-6.2.x.war from existing application server.
3. Download following jars from https://struts.apache.org/download.cgi:
4. Navigate to /axm-selfservice-gui-6.2.x.war/WEB-INF/lib/ and remove following jars:
5. Copy the jars downloaded in step #3 to /axm-selfservice-gui-6.2.x.war/WEB-INF/lib/ and deploy the war.
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.