This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcements

SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.
JochenHoffmann
Occasional Contributor
Occasional Contributor
‎2020-11-10 03:00 AM

RSA-2020-03: is AuthMgr 8.4 p14 w/ Web-Tier 8.4 p14 affected, too?

Jump to solution

https://community.rsa.com/docs/DOC-114867 

 

Related to the Security Announcement above (DOC-114867😞 is Authentication Manager 8.4 p14 with Web-Tier 8.4 p14 affected? If yes, will there be patches available for 8.4, too - or do we need to upgrade all of our 8.4 environments to 8.5? Any official guidance here?

Labels (1)
Labels
0 Likes
Reply
1 Solution

Accepted Solutions
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to JayGuillette
‎2020-11-10 02:01 PM

Jump to solution

CVE-2020-14644 & CVE-2020-14622 for WebLogic were fixed in the Oracle July 2020 CPU, which was included in AM 8.4 P13
CVE-2020-11608 for Linux Kernel was also addressed in AM 8.4 P13

 

A overview look indicates everything except SAMBA CVE-2020-1472 is covered in AM 8.4 patch 14, and based on the fact that CVE-2020-1472 is a patch to prevent "an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access", I think we can see that does not apply to either a Linux Web Tier or AM Appliance. If your Windows Web Tier was also a Domain Controller, maybe you could be vulnerable, but you would want to patch Windows for that, not the Web Tier running on Windows.

View solution in original post

Reply
8 Replies
EdwardDavis
Employee
Employee
‎2020-11-10 08:01 AM

Jump to solution

As the page you linked indicates:

 

The following RSA Authentication Manager releases contain resolutions to these vulnerabilities:

  • RSA Authentication Manager 8.5 Patch 1 and later
  • RSA Authentication Manager 8.5 Patch 1 web-tier server and later
0 Likes
Reply
JochenHoffmann
Occasional Contributor
Occasional Contributor
‎2020-11-10 08:42 AM

Jump to solution

Thanks, Edward. BUT: ist AuthMgr / Web-Tier 8.4 affected or not? That's not clear to me, sorry. 

0 Likes
Reply
EdwardDavis
Employee
Employee
In response to JochenHoffmann
‎2020-11-10 08:51 AM

Jump to solution

Yes.

 

I really am not able to state it differently than the page you linked

0 Likes
Reply
JochenHoffmann
Occasional Contributor
Occasional Contributor
In response to EdwardDavis
‎2020-11-10 10:48 AM

Jump to solution

So, every company using AM 8.2 / 8.3 / 8.5 is FORCED to do the migration to 8.5?? What about that: RSA Announces RSA Authentication Manager 8.5 Patch 1 and Updated Web-Tier Server? There it reads: 

Again, no patches for 8.4 even this version (among others) is still supported 'til Dec 2021? RSA, please make it clear. Even to those from "old Europe". ;- )

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
‎2020-11-10 11:26 AM

Jump to solution

Unfortunately this RSA 2020-03 is written as if it only applies to AM 8.5, but as I read down the individual CVEs, e.g. CVE-2019-17006, I find that one fixed in AM 8.4 P9, so it seems there are several assumptions in the announcement.  It will take some time, but I think we might be able to document that all - or most - of these listed CVEs are also addressed if you update to AM 8.4 P14 then apply Hot fix 1 for P14 when it comes out.

Other examples

CVE-2020-11868 for NTP is fixed in AM 8.4 P13

CVE-2018-20532 for libsolv was addressed back in AM 8.4 P6

CVE-2019-18197 for libxslt was addressed in AM 8.4 P12

CVE-2019-17006 for mozilla-nss was addressed in AM 8.4 P13

I did find one exception so far, 

CVE-2020-1472 for SAMBA is not addressed in any AM products, but then again, we do not support using an AM appliance as a file server.

What I do not see happening is coverage for all of these in any version less than AM 8.4

Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to JayGuillette
‎2020-11-10 02:01 PM

Jump to solution

CVE-2020-14644 & CVE-2020-14622 for WebLogic were fixed in the Oracle July 2020 CPU, which was included in AM 8.4 P13
CVE-2020-11608 for Linux Kernel was also addressed in AM 8.4 P13

 

A overview look indicates everything except SAMBA CVE-2020-1472 is covered in AM 8.4 patch 14, and based on the fact that CVE-2020-1472 is a patch to prevent "an elevation of privilege vulnerability in Microsoft’s Netlogon. A remote attacker can exploit this vulnerability to breach unpatched Active Directory domain controllers and obtain domain administrator access", I think we can see that does not apply to either a Linux Web Tier or AM Appliance. If your Windows Web Tier was also a Domain Controller, maybe you could be vulnerable, but you would want to patch Windows for that, not the Web Tier running on Windows.

Reply
JochenHoffmann
Occasional Contributor
Occasional Contributor
In response to JayGuillette
‎2020-11-11 03:04 AM

Jump to solution

Thanks, Jay Guillette‌ for clearing up that. As we are running Web-Tier on RHEL, we shouldn't be affected by SAMBA CVE-2020-1472 anyway. But I get back to my team mates and discuss to stick w/ 8.4 p14 plus hotfix or alternatively upgrade to 8.5. Isn't it a good idea to update RSA-2020-03 with the information above - if not done already? 

0 Likes
Reply
JayGuillette
Apprised Contributor Apprised Contributor
Apprised Contributor
In response to JochenHoffmann
‎2020-11-11 11:09 AM

Jump to solution

Yes, you are right, RSA-2020-03 could have been written in a more helpful way.  I'll see if there are specific people I can reach out to in order to possibly address this.  Writing "big picture" Service announcements takes more time and are typically prone to more mistakes, but the heart of customer support is explaining all the details.

Reply
© 2023 RSA Security LLC or its affiliates. All rights reserved.