000034968 - RSA Access Manager Apache Struts Jakarta Remote Code Execution Vulnerability (CVE-2017-5638)

Document created by RSA Link Team Employee on Mar 27, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000034963
Applies To

RSA Product Set: RSA Access Manager
RSA Version/Condition: All currently supported versions of Access Manager, which include the following:

  • 6.2
  • 6.2 SP1
  • 6.2 SP2
  • 6.2 SP3
  • 6.2 SP4

Component Affected: Access Manager Self Service Web Application (axm-selfservice-gui.war)

CVE IDCVE-2017-5638
Article SummaryThe vulnerability, CVE-2017-5638, permits unauthenticated Remote Code Execution (RCE) via a specially crafted Content-Type value in an HTTP request. An attacker can create an invalid value for Content-Type which will cause software to throw an exception (essentially XOR DDoS family).
 
Link to Advisories
Alert ImpactRemedy in Progress
Technical DetailsThe RSA product embeds the vulnerable code/component. RSA is working on a solution to address the issue and will provide regular status updates.
Technical Details ExplanationOnly 6.2 SP4 has a remedy available (Hotfix 6.2.4.04), waiting on the remedy for the other affected versions.
ResolutionFor RSA Access Manager version 6.2sp4: A Hotfix has been released that upgrades the Apache Struts component and dependencies to versions not affected by the vulnerability. Contact RSA Customer Support to obtain the latest patch.
For 6.2 SP4, obtain and apply Hotfix 6.2.4.04.
For all other versions of RSA Access Manager (6.2, 6.2 SP1, 6.2 SP2, 6.2 SP3): Hotfixes will be made available after development and testing. Contact RSA Customer support to obtain the latest information regarding these versions.  For customers in need of an immediate resolution where a hotfix is not available, a manual workaround can be completed to replace the affected jar(s) and dependencies.
Workaround (where hotfixes are not available):
1. First, upgrade to the latest patch for your service pack that includes the selfservice.war file:
For 6.2, upgrade to 6.2.0.22
For 6.2.1, upgrade to 6.2.1.08
For 6.2.2, upgrade to 6.2.2.05 then 6.2.2.09
For 6.2.3, upgrade to 6.2.3.06

After patching the above versions use the following steps to manually replace the struts jars and dependencies.
2. Undeploy the axm-selfservice-gui-6.2.x.war from existing application server.
3. Download following jars from  https://struts.apache.org/download.cgi:
 
jar6.2.3.066.2.2.096.2.1.086.2.0.22
struts2-core-2.3.32.jar
struts2-tiles-plugin-2.3.32.jar
struts2-tiles3-plugin-2.3.32.jar
commons-lang3-3.2.jarNot needed as 6.2.0.22 and 6.2.1.08 already have this jar
ognl-3.0.19.jar 
xwork-core-2.3.32.jar
     

 
4. Navigate to /axm-selfservice-gui-6.2.x.war/WEB-INF/lib/ and remove following jars:
 

jar6.2.3.066.2.2.096.2.1.086.2.0.22
struts2-core-2.3.29.jar
struts2-tiles-plugin-2.3.29.jar
struts2-tiles3-plugin-2.3.29.jar
commons-lang3-3.1.jarNot Present as 6.2.0.22 and 6.2.1.08 already have upgraded this jar
ognl-3.0.17.jar
xwork-core-2.3.29.jar
     

5. Copy the jars downloaded in step #3 to /axm-selfservice-gui-6.2.x.war/WEB-INF/lib/ and deploy the war.
 

 

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, EMC Corporation, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes