EMC Identifier: ESA-2016-047
CVE Identifier: CVE-2016-0899
Severity Rating: CVSS v3 Base Score: 6.3 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N)
Affected Products:
· RSA Archer version 5.5.x
Summary:
RSA Archer GRC 5.5.3.4 platform contains a fix designed to remedy a sensitive information disclosure vulnerability that could potentially be exploited by malicious users to compromise an affected system.
Details:
RSA Archer GRC is potentially affected by a sensitive information disclosure vulnerability. RSA Archer GRC on upgrade (to one of the affected versions mentioned above) creates a backup copy (.bak) of the web.config file. IIS on RSA Archer GRC allows an authenticated user to configure Multipurpose Internet Mail Extensions (MIME) type to allow reading/downloading .bak file. An attacker can make a HTTP request to read/download the .bak file which may contain sensitive information like RSA Archer webserver's username and password.
Recommendation:
RSA recommends all customers upgrade to the version mentioned below at the earliest opportunity.
· RSA Archer GRC 5.5.3.4
EOPS Policy:
Archer has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.
