CVE-2020-14882 and CVE-2020-14883 from October CPU and CVE-2020-14750 from Nov. 1 Hot fix do not impact and cannot be exploited on either Authentication Manager or Web Tier. These are Web Logic Console vulnerabilities. AM and Web Tier do not deploy the Web Logic Console, nor will the Web Logic Console ports respond to any exploits against the console port.
RSA will provide both Authentication Manager and Web Tier hot fixes that will include both the Oracle October CPU and Oracle Nov. 1 hotf ix. These hot fixes will be ver. 184.108.40.206.1 and 220.127.116.11.1, which will address the other vulnerabilities/CVEs listed in the October CPU. These hot fixes will eventually be included in patch 2 for AM 8.5.
Three vulnerabilities; "CVE-2020-14882" and "CVE-2020-14883" from Oracle CPU for October 2020 and CVE-2020-14750 from the Oracle Stand-alone hot fix from Nov. 1, 2020 are not exploitable and of no security concern for RSA Authentication Manager. All Three of these vulnerabilities are found in the WebLogic admin console, see above Link to Advisories. RSA Authentication Manager does not implement or deploy the Weblogic console in either the Authentication Manager or Web Tier.
The WebLogic admin console is not deployed. None of the WL-Admin-Console URLs will respond to either of the published attacks. Therefore the impact statement, “the flaw exists but cannot be exploited" is assigned to all three of this Authentication Manager and Web Tier.
Additionally, the Authentication Manager appliance implements an "iptables" network firewall that blocks access to the WL-Admin-Console port. Web Tiers are not appliances but are software that runs on either Linux or Windows. The Authentication Manager Planning Guide makes reference to protecting your Web Ter to allow only access to Web Tier ports, thereby blocking access to the Web Logic Console port through an implicit deny all.
An updated WebLogic will be released in RSA AM 8.5 Patch 1 Hot fix 1.
RSA Authentication Manager 8.5 patch 1 hot fix 1 will have an updated WebLogic with all fixes for vulnerabilities listed in Oracle Critical Patch Update Advisory October 2020.
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell EMC, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.