BugTraq
ESA-2012-014: RSA enVision Multiple Vulnerabilities Mar 19 2012 04:13AM
Security_Alert emc com


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2012-014: RSA enVision Multiple Vulnerabilities

EMC Identifier:ESA-2012-014

CVE Identifiers: CVE-2012-0399, CVE-2012-0400, CVE-2012-0401,

CVE-2012-0402, CVE-2012-0403

Severity Rating: CVSS Base Score: See below for scores for individual

vulnerabilities.

Affected Products:

RSA enVision 4.x

Summary:

RSA, The Security Division of EMC, announces security fixes to address

multiple vulnerabilities and provide enhancements in RSA enVision®

software.

Description:

This release addresses multiple vulnerabilities that can be potentially

exploited by a malicious user to compromise a vulnerable system.

1. Multiple cross-site scripting vulnerabilities (CVE-2012-0399)

CVSS Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

2. Improper restriction of excessive authentication attempts

(CVE-2012-0400)

CVSS Base Score: 7.9 (AV:A/AC:M/Au:N/C:C/I:C/A:C)

3. Multiple SQL injection vulnerabilities (CVE-2012-0401)

CVSS Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)

4. Hardcoded credentials (CVE-2012-0402)

CVSS Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

5. Directory traversal vulnerability (CVE-2012-0403)

CVSS Base Score: 6.3 (AV:N/AC:M/Au:S/C:C/I:N/A:N)

Further information about these resolutions and other fixes can be found in

the Release Notes associated with RSA enVision 4.1 Patch 4.

Recommendation:

RSA strongly recommends that all RSA enVision customers upgrade to RSA

enVision 4.1 Patch 4 that contains the resolutions for these issues.

Credits:

RSA would like to thank Filip Palian for reporting issues under

CVE-2012-0399, CVE-2012-0400, CVE-2012-0401 and CVE-2012-0402.

For more information on CVSS scoring, please see the Knowledge Base

Article, "Security Advisories Severity Rating" at

https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?

solution=a46604 . RSA recommends that all customers take into account both

the base score and any relevant temporal and environmental scores, which

may impact the potential severity

associated with a particular security vulnerability.

Obtaining Documentation:

To obtain RSA documentation, log on to RSA SecurCare Online at

https://knowledge.rsasecurity.com and click Products in the top navigation

menu. Select the specific product whose

documentation you want to obtain. Scroll to the section for the product

version that you want and click the set link.

Obtaining More Information:

For more information about RSA SecurID, visit the RSA web site at

http://www.emc.com/security/rsa-envision.htm

Getting Support and Service:

For customers with current maintenance contracts, contact your local RSA

Customer Support center with any additional questions regarding this RSA

SecurCare Note. For contact telephone

numbers or e-mail addresses, log on to RSA SecurCare Online at

https://knowledge.rsasecurity.com, click Help & Contact, and then click the

Contact Us - Phone tab or the Contact Us - Email

tab.

General Customer Support Information:

http://www.emc.com/support/rsa/index.htm

RSA SecurCare Online:

https://knowledge.rsasecurity.com

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major

versions. Please refer to the link below for additional details.

http://www.emc.com/support/rsa/eops/index.htm

SecurCare Online Security Advisories

RSA, The Security Division of EMC, distributes SCOL Security Advisories in

order to bring to the attention of users of the affected RSA products

important security information. RSA

recommends that all users determine the applicability of this information

to their individual situations and take appropriate action. The information

set forth herein is provided "as is"

without warranty of any kind. RSA disclaim all warranties, either express

or implied, including the warranties of merchantability, fitness for a

particular purpose, title and non-

infringement. In no event shall RSA or its suppliers be liable for any

damages whatsoever including direct, indirect, incidental, consequential,

loss of business profits or special damages,

even if RSA or its suppliers have been advised of the possibility of such

damages. Some states do not allow the exclusion or limitation of liability

for consequential or incidental damages

so the foregoing limitation may not apply.

About RSA SecurCare Notes & Security Advisories Subscription

RSA SecurCare Notes & Security Advisories are targeted e-mail messages that

RSA sends you based on the RSA product family you currently use. If you?d

like to stop receiving RSA SecurCare

Notes & Security Advisories, or if you?d like to change which RSA product

family Notes & Security Advisories you currently receive, log on to RSA

SecurCare Online at

https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the

instructions on the page, remove the check mark next to the RSA product

family whose Notes & Security Advisories

you no longer want to receive. Click the Submit button to save your

selection.

EMC Product Security Response Center

Security_Alert (at) emc (dot) com [email concealed]

http://www.emc.com/contact-us/contact/product-security-response-center.h

tm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)

iEYEARECAAYFAk9msL0ACgkQtjd2rKp+ALzWEQCgzPRHxRnuhlwOunzpQTg3Wlq7
so8AnjH8RPYEhq4yLisTKtSk1ax3elze
=Z9wU
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus