Advisory regarding vulnerabilities reported by Oracle Java CVEs for applications running untrusted code

2 years ago

Article Number

000068151

Applies To

RSA Product Set: SecurID
RSA Product/Service Type: Authentication Manager
RSA Version/Condition: 8.x

Issue

Multiple Oracle Java CVEs indicate vulnerabilities that apply to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

However, a scanner can still detect this vulnerability on RSA Authentication Manager servers, such vulnerabilities are like the Oracle Java SE Multiple Vulnerabilities (January 2023 CPU) Plugin ID: 170161, and this article addresses concerns relating to vulnerabilities with a similar description.

Resolution

Vulnerabilities which include descriptions such as:

This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

The RSA Authentication Manager is a server-side application that loads and runs only trusted code (not code from web applets, web sites, etc). The RSA Authentication Manager is not a client application running untrusted code or relying upon the Java sandbox for security.

Hence any concerns regarding vulnerabilities with the above description are regarded as false positives with RSA Authentication Manager.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles