This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
FabienBeche
Contributor
Contributor
‎2023-03-22 10:36 AM

WebLogic on RSA AM SecurID

Jump to solution

Dears,

Can you please let me know what for is used WebLogic on RSA AM and RSA AM Web-Tier?

Can you please also let me know what is the risk if ever vulnerability CVE-2023-21839 is exploited?

What kind of data can be retrieved and/or corrupted?

Thanks

0 Likes
Reply
1 Solution

Accepted Solutions
EricaChalfin
Moderator Moderator
Moderator
In response to FabienBeche
‎2023-03-24 12:29 PM

Jump to solution

@FabienBeche.

Some additional information:

CVE-2023-21839 is listed in the Oracle Critical Patch Update Advisory - January 2023, the remediation of which will be included in Authentication Manager 8.7 patch 3.The CVE has a score of 7.5. Our review finds that is not "proven to be actually exploitable" in Authentication Manger.

The Authentication Manager iteration of the Oracle WebLogic server is not your typical WebLogic server. There is no WebLogic console, all access is through the Authentication Manager Admin API. The vulnerability is caused by the ability to set the remote JNDI name and bind it to an object on the WebLogic server. This can be done using the weblogic.deployment.jms.ForeignOpaqueReference class.

There are zero mentions of the  'weblogic.deployment.jms.ForeignOpaqueReference' class anywhere in our internal support tools. Therefore, Support echoes Engineering's findings, that CVE-2023-21839 is not known to be exploitable in Authentication Manager 8.7 and the risk appears to be low.

We recommend waiting for Authentication Manager 8.7 patch 3 and updating to it. As I am sure you are, we anxiously await it being released.


Best regards,
Erica

View solution in original post

0 Likes
Reply
4 Replies
EricaChalfin
Moderator Moderator
Moderator
‎2023-03-24 11:43 AM

Jump to solution

@FabienBeche

We use Oracle WebLogic Server to create our Authentication Manager web pages.

CVE-2023-21839 is addressed in Authentication Manager 8.7 patch 3.


Best regards,
Erica
0 Likes
Reply
FabienBeche
Contributor
Contributor
In response to EricaChalfin
‎2023-03-24 11:56 AM

Jump to solution

@EricaChalfin thanks for your reply.

I know that it is fixed in Patch 3... that's why I am waiting for it to ber published back.

Does it mean that it can access almost all RSA AM data?

0 Likes
Reply
EricaChalfin
Moderator Moderator
Moderator
In response to FabienBeche
‎2023-03-24 12:29 PM

Jump to solution

@FabienBeche.

Some additional information:

CVE-2023-21839 is listed in the Oracle Critical Patch Update Advisory - January 2023, the remediation of which will be included in Authentication Manager 8.7 patch 3.The CVE has a score of 7.5. Our review finds that is not "proven to be actually exploitable" in Authentication Manger.

The Authentication Manager iteration of the Oracle WebLogic server is not your typical WebLogic server. There is no WebLogic console, all access is through the Authentication Manager Admin API. The vulnerability is caused by the ability to set the remote JNDI name and bind it to an object on the WebLogic server. This can be done using the weblogic.deployment.jms.ForeignOpaqueReference class.

There are zero mentions of the  'weblogic.deployment.jms.ForeignOpaqueReference' class anywhere in our internal support tools. Therefore, Support echoes Engineering's findings, that CVE-2023-21839 is not known to be exploitable in Authentication Manager 8.7 and the risk appears to be low.

We recommend waiting for Authentication Manager 8.7 patch 3 and updating to it. As I am sure you are, we anxiously await it being released.


Best regards,
Erica
0 Likes
Reply
FabienBeche
Contributor
Contributor
‎2023-03-27 03:24 AM

Jump to solution

Thanks for the additional information, they will be useful.

0 Likes
Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.