ESA-2017-064: RSA Identity Governance and Lifecycle Multiple Vulnerabilities

EMC Identifier:  EMC-2017-064

CVE Identifier:  CVE-2017-5003, CVE-2017-5004

 

Severity Rating:  CVSS v3 Base Score: Please view details below for individual CVE scores.

 

Affected Products:  
•RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels
•RSA Via Lifecycle and Governance version 7.0, all patch levels
•RSA Identity Management and Governance (RSA IMG) versions 6.9.1, all patch levels

 

Summary:  

RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG contain fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise an affected system.

 

Details:

 

Reflected Cross Site Scripting Vulnerabilities  (CVE-2017-5003)
The RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG products are affected by multiple reflected cross-site scripting vulnerabilities.  An unauthenticated remote attacker may potentially exploit these vulnerabilities to execute arbitrary HTML in the user’s browser session in the context of the affected system.

 

CVSSv3 Base Score:  8.2/High (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)

 

Stored Cross Site Scripting Vulnerabilities  (CVE-2017-5004)
The RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG products are affected by multiple stored cross-site scripting vulnerabilities.  A low privileged remote attacker may potentially exploit these vulnerabilities to execute arbitrary HTML in the user’s browser session in the context of the affected system.


CVSSv3 Base Score:  7.6/High (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N)

 

Recommendation: 

The following RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG releases contain resolutions to these vulnerabilities:
•RSA Identity Governance and Lifecycle 7.0.2:  7.0.2 P01 or later
•RSA Identity Governance and Lifecycle 7.0.1:  7.0.1 P03 or later
•RSA Via Lifecycle and Governance 7.0:  Requires upgrading to 7.0.1 P03 or later
•RSA Identity Management and Governance 6.9.1:  6.9.1 P23 or later

 

RSA recommends all customers upgrade at the earliest opportunity.

 

Customers can obtain the documentation and software for these releases by downloading them from the Downloads area on RSA Identity Governance and Lifecycle space of RSA Link.

 

Credits: 
RSA would like to thank Lukasz Plonka for reporting this vulnerability.