Important Update: Archer Community Scheduled Maintenance on November 23–24 - New Community Launching Soon! Learn More..

This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
No ratings

[Historic] Archer Update for GRC Platform Multiple Vulnerabilities

Anonymous
Not applicable

on ‎2014-07-03 06:10 AM - edited on ‎2024-02-02 07:57 PM by Archer Employee

EMC Identifier: ESA-2014-071
 
CVE Identifier: CVE-2014-2517, CVE-2014-2505, CVE-2014-0640, CVE-2014-0641
 
Severity Rating: CVSS v2 Base Score: See below for individual scores
 
 
Affected Products:
RSA Archer GRC Platform version 5.x
 
 
Summary:  
RSA Archer GRC Platform 5.5 SP1 contains fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system. 
 
 
Details:  
The vulnerabilities addressed in RSA Archer GRC Platform 5.5 SP1 are:
 
1. Privilege Escalation Vulnerability (CVE-2014-2517)
This vulnerability can be potentially exploited by malicious non-privileged users to perform unauthorized operations on certain functionality within the RSA Archer GRC Platform. 
CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
 
2. Unauthorized Access to Resources (CVE-2014-0640)
This vulnerability can be potentially exploited by malicious users to gain unauthorized access to certain resources within the RSA Archer GRC Platform.
CVSSv2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N) 
 
3. Cross-Site Request Forgery Vulnerability (CVE-2014-0641)
This vulnerability can be potentially exploited by malicious users to perform unauthorized actions in a RSA Archer GRC Platform userÕs browser session by getting a user with an active session to click on specially crafted links that are embedded within an email, web page or other source. 
CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
 
4. Inclusion of Functionality from Untrusted Control Sphere (CVE-2014-2505) 
This vulnerability can be potentially exploited by malicious users to insert malicious functionality into the application by causing it to download code that the malicious user has placed into an untrusted control sphere.
CVSSv2 Base Score: 5.4 (AV:A/AC:M/Au:N/C:P/I:P/A:P)
 
5. Multiple Embedded Component vulnerabilities (Multiple CVEs, see vendor advisory below)
This release also contains critical security updates for Oracle Java Runtime Environment. Oracle Java Runtime Environment has been upgraded to version 7 update 55. Please refer to the following link for more information: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html 
CVSSv2 Base Score: See vendor advisory for the individual CVSS scores.
  
 
Recommendation:
RSA strongly recommends all customers upgrade to RSA Archer GRC Platform 5.5 SP1 at their earliest opportunity. 
 
 
Severity Rating:
For an explanation of Severity Ratings, refer to the Archer Vulnerability Disclosure Policy. Archer recommends all customers consider both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.
 
0 Kudos
Version history
Last update:
‎2024-02-02 07:57 PM
Updated by:
Archer Employee
Contributors