Does RSA AM 8.5 addresses Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2020)
Hi Folks !
While trying to get the RSA AM 8.5 OVA deployed, I'm facing an issue with a vulnerability scan.
Below is what was found :
Oracle WebLogic Server Multiple Vulnerabilities (CPUJUL2020)
CVE-2020-9546, CVE-2018-11058, CVE-2020-14625, CVE-2020-14644, CVE-2020-14645,
CVE-2020-14687, CVE-2017-5645, CVE-2020-14588, CVE-2020-14639, CVE-2020-5398,
CVE-2020-14589, CVE-2020-2967, CVE-2020-14557, CVE-2020-14652, CVE-2020-14572,
CVE-2020-14636, CVE-2020-14637, CVE-2020-14638, CVE-2020-14640, CVE-2020-2966,
After reading many articles here, I was NOT able to conclude that the version is protected against this vulnerability (https://community.rsa.com/docs/DOC-114385 ).
Moreover, the OVA won't be deployed unless a clear answer is provided to the Security Team.
Could someone give a hand for this ?
- authenticaion manager
- authentication servers
- Community Thread
- Forum Thread
- oracle weblogic
- qualys vulnerability scan
- rsa am 8.5
- RSA SecurID
- RSA SecurID Access
- RSA SecurID Integration
- Virtual Appliance
AM 8.4 patch 14 includes the Oracle CPUJUL2020, but AM 8.5 base was 'code freezed' (code-frozen?) before CPUJUL2020 could be included, and AM 8.5 P1, expected Nov. 16th, will include CPUJUL2020.
Just recently, Oracle released CPUOCT2020, and then on Nov. 1 released a Hot Fix for CPUOCT2020 to address CVE-2020-14750.
RSA Engineering has provided a response for CVE-2020-14882, CVE-2020-14883 (from October CPU) and CVE-2020-14750 (from Nov. 1 Hot fix), that there is no impact from these and None of the 3 CVEs can be exploited on either Authentication Manager or Web Tier (they affect WebLogic console - which Authentication Manager does not deploy).
Both the CPUOCT2020 and the Nov. 1 Hot Fix will be included in an RSA Hot Fix, for AM 8.4 p14 and AM 8.5 P1 (when it is released). Both will eventually be included in AM 8.5 Patch 2, expected Jan. 2021.