Action Needed March 3, 2023: Identity Router (IDR) Patch Update
RSA identified an issue with the patch update that impacted a small subset of our customers who use IDR RADIUS.
- This issue impacted customers who use IDR RADIUS in conjunction with self-signed certificates and who do not have IDR SSO enabled.
- Customers who do not meet all these criteria were not impacted.
In an abundance of caution, we temporarily halted availability of the patch update earlier this week. We are making an updated version of the patch available today Friday, March 3rd, 2023. The Default Upgrade Date remains March 4th, 2023, although you may optionally override this for your own environment. If you have already applied the patch, you do not need to take any further action.
IDRs updated to this new patch will have version 220.127.116.11.8 on the Cloud Admin Console Identity Router page. The current full IDR image has also been updated.
The full image file is numbered differently but it contains the same patch update: RSA_Identity_Router-18.104.22.168.16. New IDRs installed and running from that current image will also have version v22.214.171.124.8 on the Identity Router page.
Best practices for all IDR Customers:
- RSA recommends deploying multiple IDRs in a cluster to avoid downtime during upgrades.
- If you have only one IDR, there will be a short outage as a reboot is required. Please schedule your update accordingly.
- If you have more than one IDR, each IDR will update individually. Your users should not experience any downtime.
- RSA recommends testing upgrades in your staging or other non-production environment.
- If possible, please test IDR upgrades in your staging environment prior to the default upgrade date.
- This provides additional safeguards so that, should any unforeseen issues arise, you will be able to override the default upgrade date to allow time for additional testing and remediation.
RSA has become aware of two vulnerabilities in ClamAV, which is an installed, third-party component of RSA Authentication Manager and RSA Identity Router. These issues were reported as vulnerabilities CVE-2023-20032 and CVE-2023-20052.
The following components are affected by CVE-2023-20032 and CVE-2023-20052:
- RSA Authentication Manager
- RSA Identity Router
Usage and Risks
Both Authentication Manager and the Identity Router run the SuSE Enterprise Linux Server Operating System and include the ClamAV packages tested and provided by SuSE.
- ClamAV is pre-installed as a convenience, but not configured or enabled by default and is not a required component of Authentication Manager. However, some may have chosen to enable and configure ClamAV.
- Non FedRAMP customers: ClamAV is configured to run weekly scans of the file system.
- FedRAMP customers: The ClamAV daemon is enabled and running. File system scans are run at the discretion of the administrator.
- RSA Customer Support has instructions on manually updating ClamAV packages prior to installing the next patch.
- RSA will include the updated ClamAV packages in RSA Authentication Manager 8.7 Patch 3.
- The updated ClamAV package is now available from SuSE. RSA has updated the Identity Router with this new fix. To update the Identity Router, you may select a date between now and March 18, 2023 to apply. If you do not select a date, Identity Router will auto-update on March 4, 2023.
The following components are not currently known to be affected by these vulnerabilities:
- RSA Governance & Lifecycle
RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Customer Support. RSA Security LLC and its affiliates distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information.
RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement.
In no event shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.