Apache Struts 2 Remote Code Execution Vulnerability (CVE-2018-11776): Impact on RSA products

3 years ago

Originally Published: 2018-08-24

Article Number

000067227

CVE Identifier(s)

CVE-2018-11776

Article Summary

On August 22, 2018, Apache Software Foundation disclosed a vulnerability in Apache Struts 2 that could allow an attacker to execute arbitrary commands remotely on affected systems. For more information on this vulnerability, please review the Apache security advisory (S2-057).

Link to Advisories

Apache: https://cwiki.apache.org/confluence/display/WW/S2-057

Resolution

RSA is aware of and investigating the impact of this vulnerability on our products. The following table contains the latest available impact information. The table will be updated as additional information becomes available.

RSA Product Name	Versions	Impact Status	Details	Last Updated
RSA 3D Secure/Adaptive Authentication eCommerce	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-24
RSA Access Manager	6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4	Not Impacted	Product uses Apache Struts but not impacted by this issue.	2018-08-30
RSA Adaptive Authentication Cloud	All Supported	Not Impacted		2018-08-24
RSA Adaptive Authentication Hosted	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-28
RSA Adaptive Authentication On-Prem	7.x	Not Impacted	Product does not use impacted version of Apache Struts.	2018-08-28
RSA Archer Hosted	N/A	Not Impacted		2018-08-24
RSA Archer Platform	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-24
RSA Archer Security Operations Management (SecOps)	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-24
RSA Archer Vulnerability & Risk Manager (VRM)	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-24
RSA Authentication Client (RAC)	All Supported	Investigating		2018-08-24
RSA Authentication Manager	All Supported	Not Impacted		2018-08-24
RSA Authentication Manager Web Tier	All Supported	Not Impacted		2018-08-27
RSA BSAFE C Products: MES, Crypto-C ME, SSL-C	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-24
RSA BSAFE Java Products: Cert-J, Crypto-J, SSL-J	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-24
RSA Central	All Supported	Not Impacted	Product does not use Apache Struts.	2018-10-25
RSA Data Loss Prevention	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-24
RSA Data Protection Manager	All Supported	Not Impacted		2018-08-31
RSA DCS: RSA Certificate Manager	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-24
RSA DCS: RSA Validation Manager	All Supported	Not Impacted	Product does not use impacted version of Apache Struts.	2018-08-27
RSA eFraudNetwork (eFN)	All Supported	Not Impacted		2018-08-24
RSA Federated Identity Manager	All Supported	Not Impacted	Product does not use impacted version of Apache Struts.	2018-08-27
RSA FraudAction (OTMS)	All Supported	Not Impacted		2018-08-24
RSA Identity Governance and Lifecycle Software (RSA Via Lifecycle and Governance Software, RSA Identity Management & Governance Software)	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-24
RSA Identity Governance and Lifecycle Appliance (RSA Via Lifecycle and Governance Appliance, RSA Identity Management & Governance Appliance)	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-24
RSA Identity Governance and Lifecycle SaaS / MyAccessLive (RSA Via Lifecycle and Governance SaaS / MyAccessLive)	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-24
RSA Identity Governance and Lifecycle Virtual Application	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-29
RSA NetWitness Endpoint (ECAT)	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-24
RSA NetWitness Logs & Packets / Security Analytics (Hardware and Virtual Appliances)	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-24
RSA NetWitness Live Infrastructure	All Supported	Not Impacted	Product does not use Apache Struts.	2018-08-24
RSA SecurID Access Cloud Service	All Supported	Not Impacted		2018-08-24
RSA SecurID Access IDR VM	All Supported	Not Impacted		2018-08-24
RSA SecurID Agent for PAM	All Supported	Not Impacted		2018-08-24
RSA SecurID Agent for Web	All Supported	Not Impacted		2018-08-24
RSA SecurID Agent for Windows	All Supported	Not Impacted		2018-08-24
RSA SecurID Authenticate App for Android	All Supported	Investigating		2018-08-24
RSA SecurID Authenticate App for iOS	All Supported	Investigating		2018-08-24
RSA SecurID Authenticate App for Windows 10	All Supported	Investigating		2018-08-24
RSA SecurID Authentication Engine	All Supported	Not Impacted		2018-08-24
RSA SecurID Authentication SDK	All Supported	Not Impacted		2018-08-24
RSA SecurID Software Token Converter	All Supported	Not Impacted		2018-08-24
RSA SecurID Software Token for Android	All Supported	Not Impacted		2018-08-24
RSA SecurID Software Token for Blackberry	All Supported	Not Impacted		2018-08-24
RSA SecurID Software Token for Desktop	All Supported	Not Impacted		2018-08-24
RSA SecurID Software Token for iPhone	All Supported	Not Impacted		2018-08-24
RSA SecurID Software Token for Windows Mobile	All Supported	Not Impacted		2018-08-24
RSA SecurID Software Token Toolbar	All Supported	Not Impacted		2018-08-24
RSA SecurID Software Token Web SDK	All Supported	Not Impacted		2018-08-24
RSA SecurID Transaction Signing SDK	All Supported	Not Impacted		2018-08-24
RSA SYN	Current Hosted Environment	Not Impacted	Product does not use Apache Struts.	2018-11-01
RSA Web Threat Detection	All Supported	Not Impacted	Product does not use Apache Struts	2018-08-24

Disclaimer

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell EMC, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles