000036658 - Apache Struts 2 Remote Code Execution Vulnerability (CVE-2018-11776): Impact on RSA products

Document created by RSA Customer Support Employee on Aug 24, 2018Last modified by RSA Customer Support Employee on Nov 1, 2018
Version 5Show Document
  • View in full screen mode

Article Content

Article Number000036658
CVE IDCVE-2018-11776
Article SummaryOn August 22, 2018, Apache Software Foundation disclosed a vulnerability in Apache Struts 2 that could allow an attacker to execute arbitrary commands remotely on affected systems. For more information on this vulnerability, please review the Apache security advisory (S2-057).
Link to Advisories
ResolutionRSA is aware of and investigating the impact of this vulnerability on our products. The following table contains the latest available impact information. The table will be updated as additional information becomes available.
 
RSA Product NameVersionsImpact StatusDetailsLast Updated
RSA 3D Secure/Adaptive Authentication eCommerceAll SupportedNot ImpactedProduct does not use Apache Struts.2018-08-24
RSA Access Manager6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4Not ImpactedProduct uses Apache Struts but not impacted by this issue.2018-08-30
RSA Adaptive Authentication CloudAll SupportedNot Impacted 2018-08-24
RSA Adaptive Authentication HostedAll SupportedNot ImpactedProduct does not use Apache Struts.2018-08-28
RSA Adaptive Authentication On-Prem7.xNot ImpactedProduct does not use impacted version of Apache Struts.2018-08-28
RSA Archer HostedN/ANot Impacted 2018-08-24
RSA Archer PlatformAll SupportedNot ImpactedProduct does not use Apache Struts.2018-08-24
RSA Archer Security Operations Management (SecOps)All SupportedNot ImpactedProduct does not use Apache Struts.2018-08-24
RSA Archer Vulnerability & Risk Manager (VRM)All SupportedNot ImpactedProduct does not use Apache Struts.2018-08-24
RSA Authentication Client (RAC)All SupportedInvestigating 2018-08-24
RSA Authentication ManagerAll SupportedNot Impacted 2018-08-24
RSA Authentication Manager Web TierAll SupportedNot Impacted 2018-08-27
RSA BSAFE C Products: MES, Crypto-C ME, SSL-CAll SupportedNot ImpactedProduct does not use Apache Struts.2018-08-24
RSA BSAFE Java Products: Cert-J, Crypto-J, SSL-JAll SupportedNot ImpactedProduct does not use Apache Struts.2018-08-24
RSA CentralAll SupportedNot ImpactedProduct does not use Apache Struts.2018-10-25
RSA Data Loss PreventionAll SupportedNot ImpactedProduct does not use Apache Struts.2018-08-24
RSA Data Protection ManagerAll SupportedNot Impacted 2018-08-31
RSA DCS: RSA Certificate ManagerAll SupportedNot ImpactedProduct does not use Apache Struts.2018-08-24
RSA DCS: RSA Validation ManagerAll SupportedNot ImpactedProduct does not use impacted version of Apache Struts.2018-08-27
RSA eFraudNetwork (eFN)All SupportedNot Impacted 2018-08-24
RSA Federated Identity ManagerAll SupportedNot ImpactedProduct does not use impacted version of Apache Struts.2018-08-27
RSA FraudAction (OTMS)All SupportedNot Impacted 2018-08-24
RSA Identity Governance and Lifecycle Software
   (RSA Via Lifecycle and Governance Software, RSA Identity Management & Governance Software)
All SupportedNot ImpactedProduct does not use Apache Struts.2018-08-24
RSA Identity Governance and Lifecycle Appliance
   (RSA Via Lifecycle and Governance Appliance, RSA Identity Management & Governance Appliance)
All SupportedNot ImpactedProduct does not use Apache Struts.2018-08-24
RSA Identity Governance and Lifecycle SaaS / MyAccessLive
   (RSA Via Lifecycle and Governance SaaS / MyAccessLive)
All SupportedNot ImpactedProduct does not use Apache Struts.2018-08-24
RSA Identity Governance and Lifecycle Virtual ApplicationAll SupportedNot ImpactedProduct does not use Apache Struts.2018-08-29
RSA NetWitness Endpoint (ECAT)All SupportedNot ImpactedProduct does not use Apache Struts.2018-08-24
RSA NetWitness Logs & Packets / Security Analytics
   (Hardware and Virtual Appliances)
All SupportedNot ImpactedProduct does not use Apache Struts.2018-08-24
RSA NetWitness Live InfrastructureAll SupportedNot ImpactedProduct does not use Apache Struts.2018-08-24
RSA SecurID Access Cloud ServiceAll SupportedNot Impacted 2018-08-24
RSA SecurID Access IDR VMAll SupportedNot Impacted 2018-08-24
RSA SecurID Agent for PAMAll SupportedNot Impacted 2018-08-24
RSA SecurID Agent for WebAll SupportedNot Impacted 2018-08-24
RSA SecurID Agent for WindowsAll SupportedNot Impacted 2018-08-24
RSA SecurID Authenticate App for AndroidAll SupportedInvestigating 2018-08-24
RSA SecurID Authenticate App for iOSAll SupportedInvestigating 2018-08-24
RSA SecurID Authenticate App for Windows 10All SupportedInvestigating 2018-08-24
RSA SecurID Authentication EngineAll SupportedNot Impacted 2018-08-24
RSA SecurID Authentication SDKAll SupportedNot Impacted 2018-08-24
RSA SecurID Software Token ConverterAll SupportedNot Impacted 2018-08-24
RSA SecurID Software Token for AndroidAll SupportedNot Impacted 2018-08-24
RSA SecurID Software Token for BlackberryAll SupportedNot Impacted 2018-08-24
RSA SecurID Software Token for DesktopAll SupportedNot Impacted 2018-08-24
RSA SecurID Software Token for iPhoneAll SupportedNot Impacted 2018-08-24
RSA SecurID Software Token for Windows MobileAll SupportedNot Impacted 2018-08-24
RSA SecurID Software Token ToolbarAll SupportedNot Impacted 2018-08-24
RSA SecurID Software Token Web SDKAll SupportedNot Impacted 2018-08-24
RSA SecurID Transaction Signing SDKAll SupportedNot Impacted 2018-08-24
RSA SYNCurrent Hosted EnvironmentNot ImpactedProduct does not use Apache Struts.2018-11-01
RSA Web Threat DetectionAll SupportedNot ImpactedProduct does not use Apache Struts2018-08-24

 

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell EMC, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Attachments

    Outcomes