SecurID^® Discussions

DavidBeitler · ‎2018-02-12

Is there any specific information regarding the most recent service pack, in regards to where the vulnerabilities are? Does this affect the base Authentication manager, or is it limited to the self-service console or web tier software?

Cannot seem to find any detail on the potential problems with 8.2.

RaymondTang1 · ‎2018-02-13

Following up on this. We're on 8.2 sp 1 patch 6 and I was planning to upgrade to patch 8 this week. Now, we got 8.3. I am hesitant to jump to a whole new version if this vulnerability doesn't affect us.

MaryFreeman · ‎2018-02-13

We also have this question - which parts of 8.2 sp1 are affected? Just web tier???

DavidBeitler · ‎2018-02-13

Since Patch 8 for 8.2 SP1 came out around the same time, and since the release notes for 8.3 say it includes the patches up to patch 7. Does Patch 8 fix the same vulnerability?

RaymondTang1 · ‎2018-02-15

Why do we even bother posting on the RSA forum. No one from RSA responds. Time to open a ticket. Yay....ugh.

GabrielPython · ‎2018-02-15

In the https://community.rsa.com/docs/DOC-60102#February , you can clearly see

Applying version 8.3 removes any software fixes that are not included in the cumulative Patch 5 for version 8.2 SP1.

_EricaChalfin · ‎2018-02-15

All,

My apologies for the delayed reply.

Please review DSA-2018-026 RSA® Authentication Manager Security Update for Vulnerabilities in Apache Struts, which states "RSA has released RSA Authentication Manager 8.3 that includes an update to resolve multiple security vulnerabilities in the embedded Apache Struts component."

If your Authentication Manage systems are at 8.2 SP1 patch 6, you will not lose any fixes when you upgrade to 8.3.
If you are running 8.2 SP1 patch 7 or 8, you will lose the software fixes in those versions when installing 8.3.

Authentication Manager 8.3 patch 1 will be released in a month or so and will contain the fixes in 8.2 SP1 patch 7 and patch 8.

Regards,

Erica

_EricaChalfin · ‎2018-02-15

tpCRX6sk6CRlscjY8dmAAWrHUcnhRZgw3gnLoFQBbs8=‌,

The fixes in 8.2 SP1 patch 8 are not included in 8.3. The fixes in 8.2 SP1 patch 8 will be included in 8.3 patch 1.

Regards,

Erica

DavidBeitler · ‎2018-02-15

Ok, the question I was trying to get answered is this. In the document you mentioned, under "affected products", it list 8.2 Patch 8, which is the latest patch that was released about the same time as 8.3. I would prefer to wait for patch 1 of 8.3 to come out before going there. Will there be a patch for 8.2 that corrects the vulnerability, or will we "have to" go to 8.3?

That is all.

JayGuillette · ‎2018-02-15

RSA Authentication Manager 8.2 SP1 Patch 8 and earlier are impacted by the vulnerability and
RSA Authentication Manager 8.3 and later contains a resolution for these issues, to address DSA-2018-026 (CVE-2016-1181, CVE-2016-1182) resolving multiple security vulnerabilities in the embedded Apache Struts component.

You may want to wait for AM 8.3 Patch 1 if you wanted everything from AM 8.2 SP1 P8. Whether you need everything or not is a separate question, but

RSA recommends all customers upgrade to RSA Authentication Manager 8.3 at the earliest opportunity.

SecurID® Discussions

8.3 - Authentication Manager - Apache Struts

RSA Authentication Manager

SecurID^® Discussions