-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2016-097: RSA Identity Governance and Lifecycle Information Disclosure Vulnerability

EMC Identifier:  EMC-2016-097

CVE Identifier:  CVE-2016-0918

 

Severity Rating:  CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

 

Affected Products:  
RSA Identity Management and Governance versions prior to 6.8.1 P25
RSA Identity Management and Governance versions prior to 6.9.1 P15
RSA Via Lifecycle and Governance versions prior to 7.0.0 P04

 

Summary:  

RSA Identity Governance and Lifecycle is affected by an information disclosure vulnerability that potentially could be exploited by a malicious user to read certain details of other users in the system.

 

Details:

A malicious user authenticated to the RSA Identity Governance and Lifecycle application may be able to read certain details of other users in the system by modifying certain parameters in a specific URL of the application. The details disclosed are not sensitive. This change in behavior is described in the knowledge base article 000033247 - RSA Via Lifecycle & Governance Information Defined in User Detail Popups.

 

Recommendation: 

The following product releases contain resolution to this vulnerability:
RSA Identity Management and Governance 6.8.1 P25
RSA Identity Management and Governance 6.9.1 P15 or later
RSA Via Lifecycle and Governance 7.0.0 P04

 

RSA recommends all customers upgrade at the earliest opportunity.

 

Customers can obtain the documentation and software for these releases by downloading them from the Downloads area on RSA Identity Governance and Lifecycle space of RSA Link.

 

 

Severity Rating:
For an explanation of Severity Ratings, refer to the Security Advisories Severity Rating knowledge base article. RSA recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

 

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the Product Version Life Cycle for additional details.

 

RSA Link Security Advisories:
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1-800-995-5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell Technologies, distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA, its affiliates or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867.

For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJX4oHjAAoJEHbcu+fsE81Z9WAH/jOBOAxzzIMEUvstDIVvaPd4
X0GYqZGgzkqMdhNyFDo61ErlPttxCHPsl1Pn+ujIWsbMhRGybNdr4Ps0b0MacfFZ
1EI2qVkTco5+higbr2vZQDy224p8TvTPaMvhe6CsJBbUmFX9KxpFRcZK9fSELL4+
h5gnrAlu8RKLczV6vRP3+S4dL7fbtRLQmQ8atJlxYSd4MrpFAjWBLXkr1c5UDVYG
YLs2fndZX2H6qKc9jvZvLdmsK/n4wsZznXnEYJhgn6YEJzL6Qm9EJ14SlLdum29O
WIhilCDr/qUQNiePZWjeSV4wMSzt+sFZafBIRJU6ofn2OV6QFmuV07t7gZ2lQW4=
=qkda
-----END PGP SIGNATURE-----