Is there any specific information regarding the most recent service pack, in regards to where the vulnerabilities are? Does this affect the base Authentication manager, or is it limited to the self-service console or web tier software?
Cannot seem to find any detail on the potential problems with 8.2.
We also have this question - which parts of 8.2 sp1 are affected? Just web tier???
Since Patch 8 for 8.2 SP1 came out around the same time, and since the release notes for 8.3 say it includes the patches up to patch 7. Does Patch 8 fix the same vulnerability?
The fixes in 8.2 SP1 patch 8 are not included in 8.3. The fixes in 8.2 SP1 patch 8 will be included in 8.3 patch 1.
Regards,
Erica
Why do we even bother posting on the RSA forum. No one from RSA responds. Time to open a ticket. Yay....ugh.
In the https://community.rsa.com/docs/DOC-60102#February , you can clearly see
Applying version 8.3 removes any software fixes that are not included in the cumulative Patch 5 for version 8.2 SP1.
Small clarification... https://community.rsa.com/docs/DOC-60102#February the full statement reads.
. Applying version 8.3 removes any software fixes that are not included in the cumulative Patch 5 for version 8.2 SP1 or listed in "Fixed Issues."
And includes this statement...
RSA Authentication Manager 8.3 includes the software fixes in the cumulative Patch 5 for version 8.2 SP1 and additional Patch 6 and Patch 7
All,
My apologies for the delayed reply.
Please review DSA-2018-026 RSA® Authentication Manager Security Update for Vulnerabilities in Apache Struts, which states "RSA has released RSA Authentication Manager 8.3 that includes an update to resolve multiple security vulnerabilities in the embedded Apache Struts component."
Authentication Manager 8.3 patch 1 will be released in a month or so and will contain the fixes in 8.2 SP1 patch 7 and patch 8.
Regards,
Erica
Ok, the question I was trying to get answered is this. In the document you mentioned, under "affected products", it list 8.2 Patch 8, which is the latest patch that was released about the same time as 8.3. I would prefer to wait for patch 1 of 8.3 to come out before going there. Will there be a patch for 8.2 that corrects the vulnerability, or will we "have to" go to 8.3?
That is all.
RSA Authentication Manager 8.2 SP1 Patch 8 and earlier are impacted by the vulnerability and
RSA Authentication Manager 8.3 and later contains a resolution for these issues, to address DSA-2018-026 (CVE-2016-1181, CVE-2016-1182) resolving multiple security vulnerabilities in the embedded Apache Struts component.
You may want to wait for AM 8.3 Patch 1 if you wanted everything from AM 8.2 SP1 P8. Whether you need everything or not is a separate question, but
RSA recommends all customers upgrade to RSA Authentication Manager 8.3 at the earliest opportunity.
thanks for this clarification.
But these 2 issues has been: Published: July 04, 2016; 06:59:01 PM -04:00
2016 ?
Since when are the Apache Struts used in the RSA AM ?
RSA Authentication Manager has been using Apache Struts 1 for a number of releases.
There have been a number of issues with Struts. The version in the software has a specific "RSA-2" version extension to identify that this component was altered by RSA (and differs from standard version).
Don't be too quick to go to version 8.3. I just had an install from 8.2 SP1 P7 blow up. On with support for 6 hours and in the middle of a fresh install and restore from back up to get it going again. Friday Fun!
Aaron:
Apologies for difficulty you are encountering. We are aware of only this one instance of the 8.3 upgrade failing.
It appears to be on an Intel Appliance. Customer Support has performed an upgrade test on our lab related to this issue with differing results.
What we know right now is that this has affected only one instance of an Intel appliance and do not have root cause yet. We will post back with an update when we have more information.
Hi Jay and Kevin,
It is an Intel appliance. I understand stuff like this happens. Honestly, this is the first 8.x upgrade I have ever had a problem with, so the track record is wonderful. That's why I didn't really hesitate in upgrading my customer so soon. I am glad I took a backup first though. =)
Looking forward to a resolution because the customer does want to upgrade as soon as they can. Thanks!
Aaron
Following up on this. We're on 8.2 sp 1 patch 6 and I was planning to upgrade to patch 8 this week. Now, we got 8.3. I am hesitant to jump to a whole new version if this vulnerability doesn't affect us.