[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
ESA-2013-077: RSA Data Protection Manager Appliance Multiple Vulnerabilities
- To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "dm@xxxxxxxxxxxxxxxxx" <dm@xxxxxxxxxxxxxxxxx>, Security Alert <Security_Alert@xxxxxxx>
- Subject: ESA-2013-077: RSA Data Protection Manager Appliance Multiple Vulnerabilities
- From: Security Alert <Security_Alert@xxxxxxx>
- Date: Thu, 21 Nov 2013 20:11:49 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2013-077: RSA Data Protection Manager Appliance Multiple Vulnerabilities
EMC Identifier: ESA-2013-077
CVE Identifier: CVE-2013-3288, CVE-2009-3555
Severity Rating: See below for individual scores and refer to vendor advisories
for component issues
Affected Products:
RSA Data Protection Manager Appliance versions 3.2.x and 3.5 (Hardware and
Virtual)
Unaffected Products:
RSA Data Protection Manager Server all versions
Summary:
RSA Data Protection Manager Appliance is susceptible to vulnerabilities that
could potentially be exploited by malicious users to compromise affected
systems.
Details:
The vulnerabilities are:
1. DOM-based Cross Site Scripting Vulnerability (CVE-2013-3288)
CVSS v2 Base Score: 5.8 (AV:A/AC:L/Au:N/C:P/I:P/A:P)
A cross-site scripting vulnerability could be potentially exploited for
conducting malicious scripting attacks in RSA Data Protection Manager
Appliance. The vulnerability could be exploited by malicious attacker by
getting an authenticated user to click on specially-crafted links embedded
within an email, web page or other source. This may lead to execution of
malicious html requests or scripts in the context of the authenticated user.
2. TLS Session Renegotiation Vulnerability (CVE-2009-3555)
CVSS v2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
A vulnerability exists in SSL and TLS protocols that may allow attackers to
execute an arbitrary HTTP transaction in RSA Data Protection Manager Appliance.
See http://www.kb.cert.org/vuls/id/120541 for more details.
Recommendation:
The following versions contain resolution to these issues:
RSA DPM Appliance versions 3.2.4.2, 3.5.1
RSA strongly recommends all customers to upgrade to unaffected versions at the
earliest opportunity.
Obtaining Documentation:
To obtain RSA documentation, log on to RSA SecurCare Online at
https://knowledge.rsasecurity.com and click Products in the top navigation
menu. Select the specific product whose documentation you want to obtain.
Scroll to the section for the product version that you want and click the set
link.
Severity Rating:
For an explanation of Severity Ratings, refer to the Knowledge Base Article,
?Security Advisories Severity Rating? at
https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA
recommends all customers take into account both the base score and any relevant
temporal and environmental scores which may impact the potential severity
associated with particular security vulnerability.
Obtaining More Information:
For more information about RSA products, visit the RSA web site at
http://www.rsa.com.
Getting Support and Service:
For customers with current maintenance contracts, contact your local RSA
Customer Support center with any additional questions regarding this RSA
SecurCare Note. For contact telephone numbers or e-mail addresses, log on to
RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help &
Contact, and then click the Contact Us - Phone tab or the Contact Us - Email
tab.
General Customer Support Information:
http://www.rsa.com/node.aspx?id=1264
RSA SecurCare Online:
https://knowledge.rsasecurity.com
EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major
versions. Please refer to the link below for additional details.
http://www.rsa.com/node.aspx?id=2575
SecurCare Online Security Advisories
RSA, The Security Division of EMC, distributes SCOL Security Advisories in
order to bring to the attention of users of the affected RSA products important
security information. RSA recommends that all users determine the applicability
of this information to their individual situations and take appropriate action.
The information set forth herein is provided "as is" without warranty of any
kind. RSA disclaim all warranties, either express or implied, including the
warranties of merchantability, fitness for a particular purpose, title and
non-infringement. In no event shall RSA or its suppliers be liable for any
damages whatsoever including direct, indirect, incidental, consequential, loss
of business profits or special damages, even if RSA or its suppliers have been
advised of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental damages so
the foregoing limitation may not apply.
About RSA SecurCare Notes & Security Advisories Subscription
RSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA
sends you based on the RSA product family you currently use. If you?d like to
stop receiving RSA SecurCare Notes & Security Advisories, or if you?d like to
change which RSA product family Notes & Security Advisories you currently
receive, log on to RSA SecurCare Online at
https://knowledge.rsasecurity.com/scolcms/help.aspx?_v=view3. Following the
instructions on the page, remove the check mark next to the RSA product family
whose Notes & Security Advisories you no longer want to receive. Click the
Submit button to save your selection.
Sincerely,
RSA Customer Support
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)
iEYEARECAAYFAlKOaH0ACgkQtjd2rKp+ALxMUwCgzhvHPFn+UXKwdWdOaW1av34s
QcoAoJt3qWkXUmrR3T7lezUnY5+5pyrF
=3wPa
-----END PGP SIGNATURE-----