SecurID^® Discussions

msg9 · ‎2023-03-28

Hello all,

is there an expected date for the next AM 8.7 patch that will address vulns in Java .351?

Are there any instructions available for remediation/workaround in the meantime?
Current remediation requires .361 or greater.

I did see some CVEs address in the article below
RSA-2023-03: RSA Authentication Manager Security Update for Third-Party Component Vulnerabilities
https://community.rsa.com/t5/securid-product-advisories/rsa-2023-03-rsa-authentication-manager-security-update-for-third/ta-p/696309

EricaChalfin · ‎2023-04-04

@msg9,

Our response to CVE-2023-21830, CVE-2023-21835 and CVE-2023-21843 is that they are not exploitable on Authentication Manager servers.

Best regards,
Erica

View solution in original post

EricaChalfin · ‎2023-05-26

Because Authentication Manager uses Oracle WebLogic as a framework with Authentication Manager components as applications in that framework, there are situations where:

1. The vulnerability is within a component of Oracle WebLogic that RSA does not deploy; e. g., the Oracle Console (all interaction is through the RSA consoles Admin API, which can be protected with 2FA). A key point here is that certain vulnerability findings will appear to be not exploitable because the necessary component for the exploit is not used by Authentication Manager.
2. There are also other configuration considerations where RSA can say that in order to exploit a particular vulnerability on an Authentication Manager appliance, it would require an interface in WebLogic (independent of Authentication Manager) which passed specific data (e. g. JSON) directly to Oracle WebLogic and was available to attackers. As Authentication Manager is deployed, this required extra-Authentication Manager interface does not exist, however this still means that RSA cannot say definitively that "the flaw exists but cannot be exploited."

A prime example is Oracle Java SE findings. Sometimes the response from RSA will be the CVEs are not exploitable, other times customers will need to update to an Authentication Manager patch that remedies the Java vulnerability. The general principal here is that client-side issues, e.g. sandboxed Java Web Start applications or sandboxed applets, that load and run untrusted code (e. g., code that comes from the internet) and rely on the Java sandbox for security. Scanners report these findings, but RSA Engineering can say none of these CVEs are exploitable in the Authentication Manager server.

Therefore, there will be situations where RSA will demonstrate that the vulnerability finding is a false-positive for RSA, but RSA Support will provide the details to back up that assertion. In the vulnerability risk management realm, that is a significant feature.

Best regards,
Erica

View solution in original post

EricaChalfin · ‎2023-03-29

@msg9,

Please let us know the CVE to which you are referring so I can check on whether the vulnerability is addressed in a current patch or will be in a future release. Here are the four CVEs that were announced by Oracle as addressed in the January 2023 release.

Best regards,
Erica

msg9 · ‎2023-03-31

Hi @EricaChalfin,

Thank you, yes. The vulnerability detected in the environment references three of those four in the Oracle link you've helpfully provided.

CVE-2023-21830
CVE-2023-21835
CVE-2023-21843

Curious as to whether these would, by chance, be excepted for RSA AM 8.7 P3 based on this line in the description?

This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator).

If not, yes, any other information you can provide would be great, thank you.

EricaChalfin · ‎2023-04-04

@msg9,

Our response to CVE-2023-21830, CVE-2023-21835 and CVE-2023-21843 is that they are not exploitable on Authentication Manager servers.

Best regards,
Erica

msg9 · ‎2023-04-04

@EricaChalfin

Great, thank you!

msg9 · ‎2023-05-25

Hi @EricaChalfin

Adding a new reply to this thread instead of creating new, since the topic is the same.

Each time Oracle releases a new version of Java SE, our vulnerability scanners report our RSA servers as non-compliant, saying to update the version of Java to the current iteration.

When last discussed, RSA's response to the previous Java related CVEs was that that they are not exploitable on Authentication Manager servers.

Will this always be true for RSA AM servers for Java related CVEs due to the way Java is implemented for RSA AM Servers? Or should confirm with RSA that this is not exploitable each time Oracle releases an update?

I believe we are only to apply RSA-released updates, never a separate Java package, nor anything else, is this correct?

This is for purpose of internal accounting for discovered vulnerabilities.

EricaChalfin · ‎2023-05-26

Because Authentication Manager uses Oracle WebLogic as a framework with Authentication Manager components as applications in that framework, there are situations where:

1. The vulnerability is within a component of Oracle WebLogic that RSA does not deploy; e. g., the Oracle Console (all interaction is through the RSA consoles Admin API, which can be protected with 2FA). A key point here is that certain vulnerability findings will appear to be not exploitable because the necessary component for the exploit is not used by Authentication Manager.
2. There are also other configuration considerations where RSA can say that in order to exploit a particular vulnerability on an Authentication Manager appliance, it would require an interface in WebLogic (independent of Authentication Manager) which passed specific data (e. g. JSON) directly to Oracle WebLogic and was available to attackers. As Authentication Manager is deployed, this required extra-Authentication Manager interface does not exist, however this still means that RSA cannot say definitively that "the flaw exists but cannot be exploited."

A prime example is Oracle Java SE findings. Sometimes the response from RSA will be the CVEs are not exploitable, other times customers will need to update to an Authentication Manager patch that remedies the Java vulnerability. The general principal here is that client-side issues, e.g. sandboxed Java Web Start applications or sandboxed applets, that load and run untrusted code (e. g., code that comes from the internet) and rely on the Java sandbox for security. Scanners report these findings, but RSA Engineering can say none of these CVEs are exploitable in the Authentication Manager server.

Therefore, there will be situations where RSA will demonstrate that the vulnerability finding is a false-positive for RSA, but RSA Support will provide the details to back up that assertion. In the vulnerability risk management realm, that is a significant feature.

Best regards,
Erica

msg9 · ‎2023-05-31

@EricaChalfin - great, thank you for this information. Exactly what we needed. We'll continue to check in, thank you.

SecurID^® Discussions

Authentication Manager 8.7 - P4 Availability To Remediate Java Vuln?

Advisories

SecurID® Discussions

Authentication Manager 8.7 - P4 Availability To Remediate Java Vuln?

Advisories

SecurID^® Discussions