Article Content
| Article Number | 000035522 |
| Applies To | RSA Product Set: All RSA Products |
| CVE ID | CVE-2017-9805 |
| Article Summary | On September 5, 2017, Apache disclosed a vulnerability in the REST plugin used in Apache Struts2 that could allow an attacker to execute arbitrary commands remotely on the affected systems by sending a specially crafted web request to the application.
The details for this vulnerability can be found at https://struts.apache.org/docs/s2-052.html. |
| Resolution | RSA is aware of and investigating this issue to identify potential product impact. The level of impact may vary depending on the affected product. The following table contains the latest available impact information. This table will be updated as additional information becomes available.
| RSA Product Name | Versions | Impacted? | Details | Last Updated |
|---|
| 3D Secure / Adaptive Authentication eCommerce | All Supported | Not Impacted | Product does not use impacted version of Apache Struts | 2017-09-28 | | Access Manager | All Supported | Not Impacted | | 2017-09-11 | | Adaptive Authentication Cloud | All Supported | Not Impacted | Product does not use impacted version of Apache Struts | 2017-09-13 | | Adaptive Authentication Hosted | All Supported | Not Impacted | Product does not use impacted version of Apache Struts | 2017-09-14 | | Adaptive Authentication On-Prem | 7.x | Not Impacted | Product does not use impacted version of Apache Struts | 2017-09-06 | | Archer Hosted | N/A | Not Impacted | | 2017-09-12 | | Archer Platform | All Supported | Not Impacted | Product does not use Apache Struts. | 2017-09-07 | | Archer SecOps | All Supported | Not Impacted | Product does not use Apache Struts. | 2017-09-07 | | Archer Vulnerability & Risk Manager (VRM) | All Supported | Not Impacted | Product does not use Apache Struts. | 2017-09-07 | | Authentication Manager | 8.1, 8.1SP1, 8.2, 8.2SP1 | Not Impacted | | 2017-09-07 | | Authentication Manager Appliance | 8.1, 8.1SP1, 8.2, 8.2SP1 | Not Impacted | | 2017-09-07 | | BSAFE C Products: MES, Crypto-C ME, SSL-C | All Supported | Not Impacted | Product does not use Apache Struts. | 2017-09-13 | | BSAFE Java Products: Cert-J, Crypto-J, SSL-J | All Supported | Not Impacted | Product does not use Apache Struts. | 2017-09-13 | | Data Loss Prevention | All Supported | Not Impacted | | 2017-09-07 | | Data Protection Manager | All Supported | Not Impacted | | 2017-09-12 | | DCS: Certificate Manager | All Supported | Not Impacted | Product does not use Apache Struts. | 2017-09-06 | | DCS: Validation Manager | All Supported | Not Impacted | Product does not use impacted version of Apache Struts | 2017-09-06 | | ECAT (NetWitness Endpoint) | All Supported | Not Impacted | | 2017-09-07 | | eFraudNetwork (eFN) | All Supported | Not Impacted | Product does not use impacted version of Apache Struts | 2017-09-28 | | enVision | EOPS | Not Impacted | Product does not use Apache Struts. | 2017-09-07 | | Federated Identity Manager | All Supported | Not Impacted | Product does not use impacted version of Apache Struts | 2017-09-13 | | FraudAction (OTMS) | All Supported | Not Impacted | Product does not use impacted version of Apache Struts | 2017-09-28 | Identity Governance and Lifecycle Software
(Via Lifecycle and Governance Software, Identity Management & Governance Software) | All Supported | Not Impacted | Product does not use Apache Struts. | 2017-09-21 | Identity Governance and Lifecycle Appliance
(Via Lifecycle and Governance Appliance, Identity Management & Governance Appliance) | All Supported | Not Impacted | Product does not use Apache Struts. | 2017-09-21 | Identity Governance and Lifecycle SaaS / MyAccessLive
(Via Lifecycle and Governance SaaS / MyAccessLive) | All Supported | Not Impacted | Product does not use Apache Struts | 2017-09-21 | NetWitness / Security Analytics
(Physical and Virtual Appliances) | All Supported | Not Impacted | | 2017-09-07 | | RSA Central | All Supported | Not Impacted | Product does not use impacted version of Apache Struts | 2017-09-14 | | RSA Live Infrastructure | All Supported | Not Impacted | | 2017-09-07 | | SecurID Access Cloud Service | All Supported | Not Impacted | Product does not use impacted version of Apache Struts | 2017-09-28 | | SecurID Access IDR VM | All Supported | Not Impacted | Product does not use impacted version of Apache Struts | 2017-09-28 | | SecurID Agent for PAM | All Supported | Not Impacted | | 2017-09-07 | | SecurID Agent for Web | All Supported | Not Impacted | | 2017-09-07 | | SecurID Agent for Windows | All Supported | Not Impacted | | 2017-09-07 | | SecurID Authentication Engine | All Supported | Not Impacted | | 2017-09-07 | | SecurID Authentication SDK | All Supported | Not Impacted | | 2017-09-07 | | SecurID Software Token Converter | All Supported | Not Impacted | | 2017-09-07 | | SecurID Software Token for Android | All Supported | Not Impacted | | 2017-09-07 | | SecurID Software Token for Blackberry | All Supported | Not Impacted | | 2017-09-07 | | SecurID Software Token for Desktop | All Supported | Not Impacted | | 2017-09-07 | | SecurID Software Token for iPhone | All Supported | Not Impacted | | 2017-09-07 | | SecurID Software Token for Windows Mobile | All Supported | Not Impacted | | 2017-09-07 | | SecurID Software Token Toolbar | All Supported | Not Impacted | | 2017-09-07 | | SecurID Software Token Web SDK | All Supported | Not Impacted | | 2017-09-07 | | SecurID Transaction Signing SDK | All Supported | Not Impacted | | 2017-09-07 | | Web Threat Detection | All Supported | Not Impacted | Product does not use Apache Struts | 2017-10-16 |
|
| Notes | For status of Dell products, see: Apache Struts 2 Remote Code Execution Vulnerability (CVE-2017-9805) | Dell US For status of Dell EMC products, see: https://support.emc.com/kb/503891
For status of Dell EMC CPSD products: http://support.vce.com/kA2A0000000LKm0 |
Disclaimer
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell Technologies, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
