RSA Authentication Manager 8.7 SP1 False Positive Security Vulnerabilities
Originally Published: 2023-05-09
Article Number
Applies To
CVE Identifier(s)
Article Summary
This article provides a list of security vulnerabilities that cannot be exploited on RSA Authentication Manager 8.7 SP1, but which may be flagged by security scanners.
Link to Advisories
Alert Impact
Not Exploitable
Alert Impact Explanation
Resolution
The vulnerabilities listed in the table below are in order by the date on which RSA Authentication Manager Engineering determined that RSA Authentication Manager 8.7 SP1 was not vulnerable.
| Embedded Component | CVE ID | Summary of Vulnerability | Reason why Product is not Vulnerable | Date Determined False Positive |
| spring-web version 3.2.18 | CVE-2018-11039 | Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack. | RSA Authentication Manager 8.7 SP1 is not vulnerable because the product does not use HiddenHttpMethodFilter of spring-web version 3.2.18 | 9th May 2023 |
| spring-web version 3.2.18 | CVE-2020-5421 | In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter. | RSA Authentication Manager 8.7 SP1 is not vulnerable because the product uses CSRF filters and provides Content-Disposition header in the response to mitigate this vulnerability. | 9th May 2023 |
| spring-beans version 3.2.18 | CVE-2022-22965 | A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it. | The exploitation of this vulnerability is only possible with JRE 9 and above, and Apache Tomcat 9. RSA Authentication Manager 8.7 SP1 is not vulnerable because product does not use such a combination of JRE and Tomcat with spring-beans version 3.2.18. | 9th May 2023 |
| spring-beans version 3.2.18 | CVE-2022-22970 | In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object. | RSA Authentication Manager 8.7 SP1 is not vulnerable because the product does not use MultipartFile of spring-beans version 3.2.18. | 9th May 2023 |
Disclaimer
Attachments
If the attachment does not open when clicked, please refresh the page and try again. You must be logged into view the file(s).
Related Articles
RSA Authentication Manager 8.7 False Positive Security Vulnerabilities Number of Views RSA Authentication Manager 8.2 False Positive Security Vulnerabilities Number of Views RSA Authentication Manager 8.3 False Positive Security Vulnerabilities Number of Views enVision VACollector collecting report from Qualys fails with HttpsendRequest failed: 12029 Number of Views Qualys Enterprise TruRisk - RSA Ready Implementation Guide Number of Views
Trending Articles
RSA Authentication Manager Upgrade Process RSA Release Notes for RSA Authentication Manager 8.8 RSA RADIUS Server service failed to start in the RSA Authentication Manager 8.1 Operations Console Microsoft Entra ID External MFA - Relying Party Configuration Using OIDC - RSA Ready Implementation Guide RSA Release Notes: Cloud Access Service and RSA Authenticators
Don't see what you're looking for?
