-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

EMC Identifier:  EMC-2017-064

CVE Identifier:  CVE-2017-5003, CVE-2017-5004

 

Severity Rating:  CVSS v3 Base Score: Please view details below for individual CVE scores.

 

Affected Products:  
RSA Identity Governance and Lifecycle versions 7.0.1, 7.0.2, all patch levels
RSA Via Lifecycle and Governance version 7.0, all patch levels
RSA Identity Management and Governance (RSA IMG) versions 6.9.1, all patch levels

 

Summary:  

RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG contain fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise an affected system.

 

Details:

 

Reflected Cross Site Scripting Vulnerabilities  (CVE-2017-5003)
The RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG products are affected by multiple reflected cross-site scripting vulnerabilities.  An unauthenticated remote attacker may potentially exploit these vulnerabilities to execute arbitrary HTML in the users browser session in the context of the affected system.

 

CVSSv3 Base Score:  8.2/High (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N)

 

Stored Cross Site Scripting Vulnerabilities  (CVE-2017-5004)
The RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG products are affected by multiple stored cross-site scripting vulnerabilities.  A low privileged remote attacker may potentially exploit these vulnerabilities to execute arbitrary HTML in the users browser session in the context of the affected system.


CVSSv3 Base Score:  7.6/High (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N)

 

Recommendation: 

The following RSA Identity Governance and Lifecycle, RSA Via Lifecycle and Governance and RSA IMG releases contain resolutions to these vulnerabilities:
RSA Identity Governance and Lifecycle 7.0.2:  7.0.2 P01 or later
RSA Identity Governance and Lifecycle 7.0.1:  7.0.1 P03 or later
RSA Via Lifecycle and Governance 7.0:  Requires upgrading to 7.0.1 P03 or later
RSA Identity Management and Governance 6.9.1:  6.9.1 P23 or later

 

RSA recommends all customers upgrade at the earliest opportunity.

 

Customers can obtain the documentation and software for these releases by downloading them from the Downloads area on RSA Identity Governance and Lifecycle space of RSA Link.

 

Credits: 
RSA would like to thank Lukasz Plonka for reporting this vulnerability.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZOY09AAoJEHbcu+fsE81ZgQgH/R09z8L9gNLFaXwEzKB0/93N
ECsRg9kCuiQcCD9GVH51K8k/b+QIN9nHKPNphRhGn9EVuQi/oMIxCN6ZydNA0AXc
vodwfjPtVKPivE9lSm2YmHXGIHwwW5Cl+ndqWzcy4j9Ep4VCZGAzbxKHct82VoSV
gaoODYePstbwto/g6SfigWGK73eb9AjzpK1HYj34sWYFN7N+Uy2pfBTAJz+9sQGq
N74UTErIIAz6+WICZ8eHHu9ap6qoznR7jJ5vX/Tnq59vxOPfYQGlyVmG4Gnp5g8M
vYmKA5Kpre/hlJUsGvNS7s0xmV+e51CzGzu8Q0XeLsLWhQtTY4Zd6ZORx5+qWbQ=
=wmOY
-----END PGP SIGNATURE-----