This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Product Advisories

Read and subscribe to the latest announcements and advisories relating to the SecurID product.

RSA Customer Advisory: ClamAV Vulnerability | (CVE-2023-20032 & CVE-2023-20052)

 
Updated on March 6, 2023

CVE Identifier

CVE-2023-20032
CVE-2023-20052

Action Needed March 3, 2023: Identity Router (IDR) Patch Update

RSA identified an issue with the patch update that impacted a small subset of our customers who use IDR RADIUS.

  • This issue impacted customers who use IDR RADIUS in conjunction with self-signed certificates and who do not have IDR SSO enabled.
  • Customers who do not meet all these criteria were not impacted.

In an abundance of caution, we temporarily halted availability of the patch update earlier this week. We are making an updated version of the patch available today Friday, March 3rd, 2023. The Default Upgrade Date remains March 4th, 2023, although you may optionally override this for your own environment. If you have already applied the patch, you do not need to take any further action.

 
Version Alert
IDRs updated to this new patch will have version 12.17.0.0.8 on the Cloud Admin Console Identity Router page. The current full IDR image has also been updated.

The full image file is numbered differently but it contains the same patch update: RSA_Identity_Router-2.17.0.0.16. New IDRs installed and running from that current image will also have version v12.17.0.0.8 on the Identity Router page.


Best practices for all IDR Customers:

  • RSA recommends deploying multiple IDRs in a cluster to avoid downtime during upgrades.
    • If you have only one IDR, there will be a short outage as a reboot is required. Please schedule your update accordingly.
    • If you have more than one IDR, each IDR will update individually. Your users should not experience any downtime.
  • RSA recommends testing upgrades in your staging or other non-production environment.
    • If possible, please test IDR upgrades in your staging environment prior to the default upgrade date.
    • This provides additional safeguards so that, should any unforeseen issues arise, you will be able to override the default upgrade date to allow time for additional testing and remediation.

Summary

RSA has become aware of two vulnerabilities in ClamAV, which is an installed, third-party component of RSA Authentication Manager and RSA Identity Router. These issues were reported as vulnerabilities CVE-2023-20032 and CVE-2023-20052.

Affected Components

The following components are affected by CVE-2023-20032 and CVE-2023-20052:

  • RSA Authentication Manager
  • RSA Identity Router

Usage and Risks

Both Authentication Manager and the Identity Router run the SuSE Enterprise Linux Server Operating System and include the ClamAV packages tested and provided by SuSE.

Authentication Manager

  • ClamAV is pre-installed as a convenience, but not configured or enabled by default and is not a required component of Authentication Manager. However, some may have chosen to enable and configure ClamAV.

Identity Router

  • Non FedRAMP customers: ClamAV is configured to run weekly scans of the file system.
  • FedRAMP customers: The ClamAV daemon is enabled and running. File system scans are run at the discretion of the administrator.

Resolution Plan

Authentication Manager

  • RSA Customer Support has instructions on manually updating ClamAV packages prior to installing the next patch.
  • RSA will include the updated ClamAV packages in RSA Authentication Manager 8.7 Patch 3.

Identity Router

  • The updated ClamAV package is now available from SuSE. RSA has updated the Identity Router with this new fix. To update the Identity Router, you may select a date between now and March 18, 2023 to apply. If you do not select a date, Identity Router will auto-update on March 4, 2023.

Completed Investigation

The following components are not currently known to be affected by these vulnerabilities:

  • RSA Governance & Lifecycle

EOPS Policy

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

Legal Information

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Customer Support. RSA Security LLC and its affiliates distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information.

RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement.

In no event shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Labels (2)
Tags (1)
Was this article helpful? Yes No
No ratings
Version history
Last update:
‎2023-03-06 03:33 PM
Updated by:
Administrator Administrator
Contributors

Related Content

Article Dashboard
© 2023 RSA Security LLC or its affiliates. All rights reserved.