Summary
The following RSA Authentication Manager packages contain critical updates for a security vulnerability in the third-party component XStream 1.4.6.
- Authentication Manager 8.8 P3 Hotfix 2 and Web-Tier Update or later patches
- Authentication Manager 8.7 SP2 P6 Hotfix 1 and Web-Tier Update or later patches
- Authentication Manager 8.7 SP1 P3 Hotfix 3 and Web-Tier Update or later patches
RSA strongly recommends applying this critical update at the earliest opportunity on the following affected RSA products:
| Affected Products | Hotfix/Update |
| Authentication Manager 8.8 | Authentication Manager 8.8 Patch 3 Hotfix 2 and Web-Tier Update |
| Authentication Manager 8.7 SP2 | Authentication Manager 8.7 SP2 Patch 6 Hotfix 1 and Web-Tier Update |
| Authentication Manager 8.7 SP1 | Authentication Manager 8.7 SP1 Patch 3 Hotfix 3 and Web-Tier Update |
In order to apply this critical update, customers using Authentication Manager versions below AM 8.7 SP1 need to upgrade AM to a higher version and apply the patch/hotfix.
Note: All the hotfixes should be applied on the latest patches only.
For instructions on installing the hotfixes, refer to the following documents:
- Authentication Manager 8.8 Patches and Hotfixes Readme
- Authentication Manager 8.7 SP2 P6 Hotfix 1 Readme
- Authentication Manager 8.7 SP1 P3 Hotfix 3 Readme
CVEs Resolved in AM 8.8 Patch 3 Hotfix 2, AM 8.7 SP2 Patch 6 Hotfix 1, and AM 8.7 SP1 Patch 3 Hotfix 3
CVE-2013-7285, CVE-2021-21342, CVE-2021-21345, CVE-2021-21346, CVE-2021-21347, CVE-2021-21350, CVE-2021-21351
Details
Third-party components are updated for the following vulnerabilities:
| Third-party components | Vulnerability ID | Severity (CVSS v3.x – NVD) | CVSS v3.x Vector (NVD) | CWE ID and Name |
| XStream 1.4.6 | CVE-2013-7285 | 9.8 – Critical | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| CVE-2021-21342 | 9.1 – Critical | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
CWE-918 Server-Side Request Forgery (SSRF) CWE-502 Deserialization of Untrusted Data | |
| CVE-2021-21345 | 9.9 – Critical | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') CWE-94 Improper Control of Generation of Code ('Code Injection') CWE-502 Deserialization of Untrusted Data | |
| CVE-2021-21346 | 9.8 – Critical | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
CWE-434 Unrestricted Upload of File with Dangerous Type CWE-502 Deserialization of Untrusted Data | |
| CVE-2021-21347 | 9.8 – Critical | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
| CVE-2021-21350 | 9.8 – Critical | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | ||
| CVE-2021-21351 | 9.1 – Critical | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
Severity Rating
For an explanation of Severity Ratings, refer to the RSA Vulnerability Disclosure Policy. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with a particular security vulnerability.
See NVD (http://nvd.nist.gov/) for individual scores for each CVE.
EOPS Policy
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.
Legal Information
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Technical Support. RSA Security LLC and its affiliates, including without limitation, distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information.
RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement.
In no event shall RSA, its affiliates, or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates, or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
Related Articles
RSA Announces Critical Security Updates for RSA ID Plus Components - RSA Authentication Manager and RSA Identity Router Number of Views RSA Authentication Manager Patch Updates Number of Views RSA-2025-07: RSA Authentication Manager Security Update for Third-Party Component Vulnerabilities Number of Views RSA Announces RSA Authentication Manager 8.8 Patch 2 and Updated Web-Tier Server Number of Views RSA Announces RSA Authentication Manager 8.8 Patch 1 and Updated Web-Tier Server Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Authentication Manager 8.9 Release Notes (January 2026) How to install the jTDS JDBC driver on WildFly for use with Data Collections in RSA Identity Governance & Lifecycle RSA Authentication Manager 8.8 Setup and Configuration Guide Artifacts to gather in RSA Identity Governance & Lifecycle
