Archer Community

  EMC Identifier: ESA-2014-163  CVE Identifier: See below for individual identifiers  Severity Rating: View details below for individual CVSSv2 scores   Affected Products: RSA Archer GRC Platform version 5.x   Summary:  RSA Archer GRC 5.5.1.1 Platform contains fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.   Details:  The vulnerabilities addressed in RSA Archer GRC Platform 5.x are:  1.     Persistent Cross-Site Scripting (CVE-2014-4633) A persistent cross-site scripting vulnerability could potentially be exploited to execute arbitrary HTML and script code in an RSA Archer users browser session in context of an affected RSA Archer application.  CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)   2.    Multiple Vulnerabilities in Oracle JRE 7   RSA Archer GRC embeds Oracle JRE 7 which has known vulnerabilities. See vendor advisory for CVE identifiers and CVSSv2 scores:  http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html#AppendixJAVA  The Oracle Java SE patches are cumulative; patches included in the Critical Patch Update will include all fixes from the previous Critical Patch Updates.   Recommendation:  RSA strongly recommends all customers upgrade to RSA Archer GRC Platform 5.5.1.1 at their earliest opportunity.   Severity Rating: For an explanation of Severity Ratings, refer to the Archer Vulnerability Disclosure Policy. Archer recommends all customers consider both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.  

EMC Identifier: ESA-2014-071   CVE Identifier: CVE-2014-2517, CVE-2014-2505, CVE-2014-0640, CVE-2014-0641   Severity Rating: CVSS v2 Base Score: See below for individual scores     Affected Products: RSA Archer GRC Platform version 5.x     Summary:   RSA Archer GRC Platform 5.5 SP1 contains fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.      Details:   The vulnerabilities addressed in RSA Archer GRC Platform 5.5 SP1 are:   1. Privilege Escalation Vulnerability (CVE-2014-2517) This vulnerability can be potentially exploited by malicious non-privileged users to perform unauthorized operations on certain functionality within the RSA Archer GRC Platform.  CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)   2. Unauthorized Access to Resources (CVE-2014-0640) This vulnerability can be potentially exploited by malicious users to gain unauthorized access to certain resources within the RSA Archer GRC Platform. CVSSv2 Base Score: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N)    3. Cross-Site Request Forgery Vulnerability (CVE-2014-0641) This vulnerability can be potentially exploited by malicious users to perform unauthorized actions in a RSA Archer GRC Platform userÕs browser session by getting a user with an active session to click on specially crafted links that are embedded within an email, web page or other source.  CVSSv2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)   4. Inclusion of Functionality from Untrusted Control Sphere (CVE-2014-2505)  This vulnerability can be potentially exploited by malicious users to insert malicious functionality into the application by causing it to download code that the malicious user has placed into an untrusted control sphere. CVSSv2 Base Score: 5.4 (AV:A/AC:M/Au:N/C:P/I:P/A:P)   5. Multiple Embedded Component vulnerabilities (Multiple CVEs, see vendor advisory below) This release also contains critical security updates for Oracle Java Runtime Environment. Oracle Java Runtime Environment has been upgraded to version 7 update 55. Please refer to the following link for more information: http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html  CVSSv2 Base Score: See vendor advisory for the individual CVSS scores.      Recommendation: RSA strongly recommends all customers upgrade to RSA Archer GRC Platform 5.5 SP1 at their earliest opportunity.      Severity Rating: For an explanation of Severity Ratings, refer to the Archer Vulnerability Disclosure Policy. Archer recommends all customers consider both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.  

EMC Identifier: ESA-2013-079 CVE Identifier: CVE-2013-6178 Severity Rating: CVSS v2 Base Score:  7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)   Affected Products: RSA Archer version 5.x   Summary:  RSA Archer GRC 5.4 P2 and 5.4 SP1 platform contains fixes for multiple cross-site scripting vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.   Details:  RSA Archer GRC 5.4 P2 and 5.4 SP1 platform contains fixes for multiple cross-site scripting vulnerabilities. These vulnerabilities can be exploited to execute arbitrary HTML and script code in an RSA Archer userÕs browser session in context of an affected RSA Archer application.   Recommendation:  RSA strongly recommends all customers upgrade to RSA Archer GRC 5.4 P2 or 5.4 SP1 at their earliest opportunity.   Severity Rating: For an explanation of Severity Ratings, refer to the Archer Vulnerability Disclosure Policy. Archer recommends all customers consider both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

EMC Identifier: ESA-2013-057 CVE Identifier: CVE-2013-3276, CVE-2013-3277  Severity Rating: CVSS v2 Base Score: See below for individual scores   Affected Products: RSA Archer version 5.x   Unaffected Products:   Summary:  RSA Archer GRC 5.4 platform contains fixes for security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.   Details:  The vulnerabilities addressed in RSA Archer GRC 5.4 are: Improper restriction of user login (CVE-2013-3276) A flaw in platform does not prevent users from login who should have been deactivated. CVSSv2 Base Score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P) Open redirect vulnerability (CVE-2013-3277) This vulnerability may allow malicious phishing attacks by redirecting users to arbitrary web sites.  CVSSv2 Base Score: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) Recommendation:   RSA strongly recommends all customers upgrade to RSA Archer GRC 5.4 at their earliest opportunity.  

EMC Identifier: ESA-2013-015 CVE Identifier: CVE-2013-0932, CVE-2013-0933, CVE-2013-0934 Severity Rating: CVSS v2 Base Score: See below for individual scores   Affected Products: RSA Archer version 5.x Archer Smart Suite Framework version 4.x   Unaffected Products: none   Summary:  RSA Archer GRC 5.3SP1 platform contains fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.   Details:  The vulnerabilities addressed in RSA Archer GRC5.3SP1 are: Arbitrary file upload vulnerability (CVE-2013-0932) This vulnerability may allow an authenticated user to bypass existing security controls and upload arbitrary files to the Archer platform including files with dangerous type. CVSSv2 Base Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C). Multiple cross-site scripting vulnerabilities (CVE-2013-0933) These vulnerabilities can be exploited to execute arbitrary HTML and script code in an RSA Archer users browser session in context of an affected RSA Archer application. CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Improper authorization vulnerability (CVE-2013-0934) This vulnerability may allow an unauthorized Archer user to modify global reports. CVSSv2 Base Score: 4.9 (AV:N/AC:M/Au:S/C:N/I:P/A:P) Recommendation:   RSA strongly recommends all customers upgrade to RSA Archer GRC v5.3SP1 at their earliest opportunity.