BugTraq
ESA-2012-023: RSA Authentication Manager Multiple Vulnerabilities Jul 11 2012 07:19PM
Security_Alert emc com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2012-023: RSA® Authentication Manager Multiple Vulnerabilities

EMC Identifier: ESA-2012-023

CVE Identifier: CVE-2012-2278, CVE-2012-2279, CVE-2012-2280

Severity Rating: See below for scores for individual issues

Affected Products:

RSA Authentication Manager 7.1 all platforms, including Appliance 3.0

Unaffected Products:

RSA Authentication Manager 6.1

Summary:

Patch 14 (P14) for RSA Authentication Manager 7.1 Service Pack 4 (SP4) and

Appliance 3.0 SP4

contains fixes for multiple security vulnerabilities.

Details:

This update includes fixes for the following vulnerabilities:

1.Open redirection vulnerability on the RSA Security Console

(CVE-2012-2279)

CVSSv2 Base Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)

2.Multiple cross-site scripting vulnerabilities on the RSA Self-Service and

Security Consoles

(CVE-2012-2278)

CVSSv2 Base Score: CVSS 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

3.Cross frame scripting vulnerability (CVE-2012-2280)

CVSS Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)

Recommendation:

RSA strongly recommends that customers apply Patch 14 at the earliest

opportunity.

Severity Rating:

For an explanation of Severity Ratings, refer to the Knowledge Base

Article, ?Security

Advisories Severity Rating? at

https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?

solution=a46604. RSA recommends all customers take into account both the

base score and any

relevant temporal and environmental scores which may impact the potential

severity associated

with particular security vulnerability.

Obtaining Downloads:

To obtain the latest RSA product downloads, log on to RSA SecurCare Online

at

https://knowledge.rsasecurity.com and click Products in the top navigation

menu. Select the

specific product whose download you want to obtain. Scroll to the section

for the product

download that you want and click on the link.

Obtaining Documentation:

To obtain RSA documentation, log on to RSA SecurCare Online at

https://knowledge.rsasecurity.com and click Products in the top navigation

menu. Select the

specific product whose documentation you want to obtain. Scroll to the

section for the product

version that you want and click the set link.

Obtaining More Information:

For more information about RSA SecurID, visit the RSA web site at

http://www.rsa.com/node.aspx?id=1156.

Getting Support and Service:

For customers with current maintenance contracts, contact your local RSA

Customer Support

center with any additional questions regarding this RSA SecurCare Note. For

contact telephone

numbers or e-mail addresses, log on to RSA SecurCare Online at

https://knowledge.rsasecurity.com, click Help & Contact, and then click the

Contact Us - Phone

tab or the Contact Us - Email tab.

General Customer Support Information:

http://www.rsa.com/node.aspx?id=1264

RSA SecurCare Online:

https://knowledge.rsasecurity.com

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major

versions. Please

refer to the link below for additional details.

http://www.rsa.com/node.aspx?id=2575

SecurCare Online Security Advisories

RSA, The Security Division of EMC, distributes SCOL Security Advisories in

order to bring to

the attention of users of the affected RSA products important security

information. RSA

recommends that all users determine the applicability of this information

to their individual

situations and take appropriate action. The information set forth herein is

provided "as is"

without warranty of any kind. RSA disclaim all warranties, either express

or implied,

including the warranties of merchantability, fitness for a particular

purpose, title and non-

infringement. In no event shall RSA or its suppliers be liable for any

damages whatsoever

including direct, indirect, incidental, consequential, loss of business

profits or special

damages, even if RSA or its suppliers have been advised of the possibility

of such damages.

Some states do not allow the exclusion or limitation of liability for

consequential or

incidental damages so the foregoing limitation may not apply.

About RSA SecurCare Notes & Security Advisories Subscription

RSA SecurCare Notes & Security Advisories are targeted e-mail messages that

RSA sends you

based on the RSA product family you currently use. If you?d like to stop

receiving RSA

SecurCare Notes & Security Advisories, or if you?d like to change which

RSA product family

Notes & Security Advisories you currently receive, log on to RSA SecurCare

Online at

https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the

instructions on

the page, remove the check mark next to the RSA product family whose Notes

& Security

Advisories you no longer want to receive. Click the Submit button to save

your selection.

EMC Product Security Response Center

Security_Alert (at) emc (dot) com [email concealed]

http://www.emc.com/contact-us/contact/product-security-response-center.h
tm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (Cygwin)

iEYEARECAAYFAk/ozzsACgkQtjd2rKp+ALz91QCfQCFvW3Rr1XW99cFAR3BPdb8z
8GIAniHYeprFCtC4oAaScb4HIHTmb23E
=hwTP
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus