This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Announcements
SecurID® Knowledge Base
Find answers to your questions and identify resolutions for known issues with knowledge base articles written by SecurID experts.
- RSA Community
- :
- Products
- :
- SecurID
- :
- Knowledge Base
- :
- Security vulnerabilities CVE-2020-14882, CVE-2020-14883 and CVE-2020-14750, others in WebLogic an in...
-
Options
- Subscribe to RSS Feed
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Security vulnerabilities CVE-2020-14882, CVE-2020-14883 and CVE-2020-14750, others in WebLogic an internal component in WebTier
Article Number
000039437
CVE ID
CVE-2020-14882, CVE-2020-14883
Applies To
RSA Authentication Manager 8.4 and 8.5
RSA Authentication Manager 8.4 and 8.5 WebTier
RSA Authentication Manager 8.4 and 8.5 WebTier
Article Summary
Oracle announced its quarterly October 2020 CPU, then announced an additional hot fix on Nov. 1, 2020.
This is the Engineering Response/impact statements for;
CVE-2020-14882 and CVE-2020-14883 from October CPU and CVE-2020-14750 from Nov. 1 Hot fix do not impact and cannot be exploited on either Authentication Manager or Web Tier. These are Web Logic Console vulnerabilities. AM and Web Tier do not deploy the Web Logic Console, nor will the Web Logic Console ports respond to any exploits against the console port.
RSA will provide both Authentication Manager and Web Tier hot fixes that will include both the Oracle October CPU and Oracle Nov. 1 hotf ix. These hot fixes will be ver. 8.5.0.1.1 and 8.4.0.14.1, which will address the other vulnerabilities/CVEs listed in the October CPU. These hot fixes will eventually be included in patch 2 for AM 8.5.
This is the Engineering Response/impact statements for;
- Oracle WebLogic Critical Patch Update, CPU Advisory - October 2020, including security vulnerabilities CVE-2020-14882 and CVE-2020-14883, along with several others listed here
https://www.oracle.com/security-alerts/cpuoct2020.html - Nov 1, 2020, Oracle WebLogic Advisory RE: out-of-band fix for another security vulnerability, CVE-2020-14750, listed here
https://www.oracle.com/security-alerts/alert-cve-2020-14750.html
CVE-2020-14882 and CVE-2020-14883 from October CPU and CVE-2020-14750 from Nov. 1 Hot fix do not impact and cannot be exploited on either Authentication Manager or Web Tier. These are Web Logic Console vulnerabilities. AM and Web Tier do not deploy the Web Logic Console, nor will the Web Logic Console ports respond to any exploits against the console port.
RSA will provide both Authentication Manager and Web Tier hot fixes that will include both the Oracle October CPU and Oracle Nov. 1 hotf ix. These hot fixes will be ver. 8.5.0.1.1 and 8.4.0.14.1, which will address the other vulnerabilities/CVEs listed in the October CPU. These hot fixes will eventually be included in patch 2 for AM 8.5.
Link to Advisories
Oracle Critical Patch Update Advisory - October 2020
https://www.oracle.com/security-alerts/cpuoct2020.html
| CVE-2020-14882 | Oracle WebLogic Server | Console | HTTP | Yes | 9.8 | Network | Low | None | None | Un- changed | High | High | High | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
|---|
| CVE-2020-14883 | Oracle WebLogic Server | Console | HTTP | No | 7.2 | Network | Low | High | None | Un- changed | High | High | High | 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 |
|---|
Late on Sunday, Nov 1, 2020, Oracle also announced an out-of-band fix for another security vulnerability, CVE-2020-14750
https://www.oracle.com/security-alerts/alert-cve-2020-14750.html.
Alert Impact
Not Exploitable
Alert Impact Explanation
Three vulnerabilities; "CVE-2020-14882" and "CVE-2020-14883" from Oracle CPU for October 2020 and CVE-2020-14750 from the Oracle Stand-alone hot fix from Nov. 1, 2020 are not exploitable and of no security concern for RSA Authentication Manager. All Three of these vulnerabilities are found in the WebLogic admin console, see above Link to Advisories. RSA Authentication Manager does not implement or deploy the Weblogic console in either the Authentication Manager or Web Tier.
The WebLogic admin console is not deployed. None of the WL-Admin-Console URLs will respond to either of the published attacks. Therefore the impact statement, “the flaw exists but cannot be exploited" is assigned to all three of this Authentication Manager and Web Tier.
Additionally, the Authentication Manager appliance implements an "iptables" network firewall that blocks access to the WL-Admin-Console port.
Web Tiers are not appliances but are software that runs on either Linux or Windows. The Authentication Manager Planning Guide makes reference to protecting your Web Ter to allow only access to Web Tier ports, thereby blocking access to the Web Logic Console port through an implicit deny all.
The WebLogic admin console is not deployed. None of the WL-Admin-Console URLs will respond to either of the published attacks. Therefore the impact statement, “the flaw exists but cannot be exploited" is assigned to all three of this Authentication Manager and Web Tier.
Additionally, the Authentication Manager appliance implements an "iptables" network firewall that blocks access to the WL-Admin-Console port.
Web Tiers are not appliances but are software that runs on either Linux or Windows. The Authentication Manager Planning Guide makes reference to protecting your Web Ter to allow only access to Web Tier ports, thereby blocking access to the Web Logic Console port through an implicit deny all.
Resolution
An updated WebLogic will be released in RSA AM 8.5 Patch 1 Hot fix 1.
Notes
RSA Authentication Manager 8.5 patch 1 hot fix 1 will have an updated WebLogic with all fixes for vulnerabilities listed in Oracle Critical Patch Update Advisory October 2020.
Disclaimer
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell EMC, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
Tags (38)
- 8
- 8.4
- 8.4.x
- 8.5
- 8.5.x
- 8.x
- AM
- Auth Manager
- Authentication Manager
- Customer Support Article
- CVE
- KB Article
- Knowledge Article
- Knowledge Base
- RSA AM
- RSA Auth Manager
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
- RSA SecurID Suite
- SecurID
- SecurID Access
- SecurID Suite
- Security Advisory
- Security Alert
- Security Notification
- Security Recommendations
- Security Warning
- Version 8
- Version 8.4
- Version 8.4.x
- Version 8.5
- Version 8.5.x
- Version 8.x
- Vuln
- Vulnerabilities
- Vulnerability
- Vulnerability Warning
No ratings
