Archer Community

EMC Identifier: ESA-2014-071   CVE Identifier: CVE-2014-2517, CVE-2014-2505, CVE-2014-0640, CVE-2014-0641   Severity Rating: CVSS v2 Base Score: See below for individual scores     Affected Products: RSA Archer GRC Platform version 5.x     Summary:   RSA Archer GRC Platform 5.5 SP1 contains fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.      Details:   The vulnerabilities addressed in RSA Archer GRC Platform 5.5 SP1 are:   1. Privilege Escalation Vulnerability (CVE-2014-2517) This vulnerability can be potentially exploited by malicious non-privileged users to perform unauthorized operations on certain functionality within the RSA Archer GRC Platform.  CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)   2. Unauthorized Access to Resources (CVE-2014-0640) This vulnerability can be potentially exploited by malicious users to gain unauthorized access to certain resources within the RSA Archer GRC Platform. CVSSv2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)    3. Cross-Site Request Forgery Vulnerability (CVE-2014-0641) This vulnerability can be potentially exploited by malicious users to perform unauthorized actions in a RSA Archer GRC Platform userÕs browser session by getting a user with an active session to click on specially crafted links that are embedded within an email, web page or other source.  CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)   4. Inclusion of Functionality from Untrusted Control Sphere (CVE-2014-2505)  This vulnerability can be potentially exploited by malicious users to insert malicious functionality into the application by causing it to download code that the malicious user has placed into an untrusted control sphere. CVSSv2 Base Score: 5.4 (AV:A/AC:M/Au:N/C:P/I:P/A:P)   5. Multiple Embedded Component vulnerabilities (Multiple CVEs, see vendor advisory below) This release also contains critical security updates for Oracle Java Runtime Environment. Oracle Java Runtime Environment has been upgraded to version 7 update 55. Please refer to the following link for more information: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html  CVSSv2 Base Score: See vendor advisory for the individual CVSS scores.      Recommendation: RSA strongly recommends all customers upgrade to RSA Archer GRC Platform 5.5 SP1 at their earliest opportunity.      Severity Rating: For an explanation of Severity Ratings, refer to the Archer Vulnerability Disclosure Policy. Archer recommends all customers consider both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.  

EMC Identifier: ESA-2013-079 CVE Identifier: CVE-2013-6178 Severity Rating: CVSS v2 Base Score:  7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)   Affected Products: RSA Archer version 5.x   Summary:  RSA Archer GRC 5.4 P2 and 5.4 SP1 platform contains fixes for multiple cross-site scripting vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.   Details:  RSA Archer GRC 5.4 P2 and 5.4 SP1 platform contains fixes for multiple cross-site scripting vulnerabilities. These vulnerabilities can be exploited to execute arbitrary HTML and script code in an RSA Archer userÕs browser session in context of an affected RSA Archer application.   Recommendation:  RSA strongly recommends all customers upgrade to RSA Archer GRC 5.4 P2 or 5.4 SP1 at their earliest opportunity.   Severity Rating: For an explanation of Severity Ratings, refer to the Archer Vulnerability Disclosure Policy. Archer recommends all customers consider both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

EMC Identifier: ESA-2013-057 CVE Identifier: CVE-2013-3276, CVE-2013-3277  Severity Rating: CVSS v2 Base Score: See below for individual scores   Affected Products: RSA Archer version 5.x   Unaffected Products:   Summary:  RSA Archer GRC 5.4 platform contains fixes for security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.   Details:  The vulnerabilities addressed in RSA Archer GRC 5.4 are: Improper restriction of user login (CVE-2013-3276) A flaw in platform does not prevent users from login who should have been deactivated. CVSSv2 Base Score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P) Open redirect vulnerability (CVE-2013-3277) This vulnerability may allow malicious phishing attacks by redirecting users to arbitrary web sites.  CVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Recommendation:   RSA strongly recommends all customers upgrade to RSA Archer GRC 5.4 at their earliest opportunity.  

EMC Identifier: ESA-2013-015 CVE Identifier: CVE-2013-0932, CVE-2013-0933, CVE-2013-0934 Severity Rating: CVSS v2 Base Score: See below for individual scores   Affected Products: RSA Archer version 5.x Archer Smart Suite Framework version 4.x   Unaffected Products: none   Summary:  RSA Archer GRC 5.3SP1 platform contains fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.   Details:  The vulnerabilities addressed in RSA Archer GRC5.3SP1 are: Arbitrary file upload vulnerability (CVE-2013-0932) This vulnerability may allow an authenticated user to bypass existing security controls and upload arbitrary files to the Archer platform including files with dangerous type. CVSSv2 Base Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C). Multiple cross-site scripting vulnerabilities (CVE-2013-0933) These vulnerabilities can be exploited to execute arbitrary HTML and script code in an RSA Archer users browser session in context of an affected RSA Archer application. CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Improper authorization vulnerability (CVE-2013-0934) This vulnerability may allow an unauthorized Archer user to modify global reports. CVSSv2 Base Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P) Recommendation:   RSA strongly recommends all customers upgrade to RSA Archer GRC v5.3SP1 at their earliest opportunity.

EMC Identifier: ESA-2013-002 CVE Identifier: CVE-2012-2293, CVE-2012-2292, CVE-2012-1064, CVE-2012-2294 Severity Rating:  See below for scores for individual issues   Affected Products:   RSA Archer SmartSuite Framework version 4.x RSA Archer GRC version 5.x   Summary:  RSA Archer GRC 5.3 and 5.2SP1 platform contains fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.   Details:  The vulnerabilities addressed in RSA Archer GRC 5.3 and RSA Archer GRC 5.2SP1 are: Path traversal vulnerability (CVE-2012-2293) This vulnerability may allow malicious users to upload arbitrary files to a vulnerable RSA Archer system using the relative paths. CVSSv2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C) Improper permissions in Silverlight cross-domain policy (CVE-2012-2292) This vulnerability allows access to the RSA Archer application from any domain. This insecure permission may lead to cross-domain attacks. CVSSv2 Base Score: 8.3 (AV:N/AC:M/Au:N/C:C/I:P/A:P) Multiple cross-site scripting vulnerabilities (CVE-2012-1064) These vulnerabilities can be exploited to execute arbitrary HTML and script code in an RSA Archer users browser session in context of an affected RSA Archer application. CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Clickjacking vulnerability (CVE-2012-2294) A malicious user may exploit this vulnerability by constructing a specially crafted Web page disguised as legitimate content to conduct clickjacking attacks. The users clicks in the malicious page may perform unwanted actions. CVSSv2 Base Score:6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) Recommendation: RSA strongly recommends all customers upgrade to RSA Archer GRC v5.3 or install 5.2SP1 at their earliest opportunity.     Credits: RSA would like to thank Nello Coppeto at eMaze Network SpA (http://blog.emaze.net) for reporting issues under CVE-2012-1064.