SecurID^® Discussions

Hi @EricaChalfin,

Thank you, yes.  The vulnerability detected in the environment references three of those four in the Oracle link you've helpfully provided.

• CVE-2023-21830
• CVE-2023-21835
• CVE-2023-21843

Curious as to whether these would, by chance, be excepted for RSA AM 8.7 P3 based on this line in the description?

This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

If not, yes, any other information you can provide would be great, thank you.

Hi @EricaChalfin 

Adding a new reply to this thread instead of creating new, since the topic is the same.

Each time Oracle releases a new version of Java SE, our vulnerability scanners report our RSA servers as non-compliant, saying to update the version of Java to the current iteration.

When last discussed, RSA's response to the previous Java related CVEs was that that they are not exploitable on Authentication Manager servers.

Will this always be true for RSA AM servers for Java related CVEs due to the way Java is implemented for RSA AM Servers?  Or should confirm with RSA that this is not exploitable each time Oracle releases an update?

I believe we are only to apply RSA-released updates, never a separate Java package, nor anything else, is this correct?

This is for purpose of internal accounting for discovered vulnerabilities.

Because Authentication Manager uses Oracle WebLogic as a framework with Authentication Manager components as applications in that framework, there are situations where:

1. The vulnerability is within a component of Oracle WebLogic that RSA does not deploy;  e. g., the Oracle Console (all interaction is through the RSA consoles Admin API, which can be protected with 2FA). A key point here is that certain vulnerability findings will appear to be not exploitable because the necessary component for the exploit is not used by Authentication Manager.
2. There are also other configuration considerations where RSA can say that in order to exploit a particular vulnerability on an Authentication Manager appliance, it would require an interface in WebLogic (independent of Authentication Manager) which passed specific data (e. g. JSON) directly to Oracle WebLogic and was available to attackers. As Authentication Manager is deployed, this required extra-Authentication Manager interface does not exist, however this still means that RSA cannot say definitively that "the flaw exists but cannot be exploited."

A prime example is Oracle Java SE findings. Sometimes the response from RSA will be the CVEs are not exploitable, other times customers will need to update to an Authentication Manager patch that remedies the Java vulnerability. The general principal here is that client-side issues, e.g. sandboxed Java Web Start applications or sandboxed applets, that load and run untrusted code (e. g., code that comes from the internet) and rely on the Java sandbox for security. Scanners report these findings, but RSA Engineering can say none of these CVEs are exploitable in the Authentication Manager server.

Therefore, there will be situations where RSA will demonstrate that the vulnerability finding is a false-positive for RSA, but RSA Support will provide the details to back up that assertion. In the vulnerability risk management realm, that is a significant feature.