EMC Identifier: ESA-2013-002
CVE Identifier: CVE-2012-2293, CVE-2012-2292, CVE-2012-1064, CVE-2012-2294
Severity Rating: See below for scores for individual issues
Affected Products:
RSA Archer SmartSuite Framework version 4.x
RSA Archer GRC version 5.x
Summary:
RSA Archer GRC 5.3 and 5.2SP1 platform contains fixes for multiple security vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.
Details:
The vulnerabilities addressed in RSA Archer GRC 5.3 and RSA Archer GRC 5.2SP1 are:
- Path traversal vulnerability (CVE-2012-2293)
This vulnerability may allow malicious users to upload arbitrary files to a vulnerable RSA Archer system using the relative paths.
CVSSv2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
- Improper permissions in Silverlight cross-domain policy (CVE-2012-2292)
This vulnerability allows access to the RSA Archer application from any domain. This insecure permission may lead to cross-domain attacks.
CVSSv2 Base Score: 8.3 (AV:N/AC:M/Au:N/C:C/I:P/A:P)
- Multiple cross-site scripting vulnerabilities (CVE-2012-1064)
These vulnerabilities can be exploited to execute arbitrary HTML and script code in an RSA Archer users browser session in context of an affected RSA Archer application.
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
- Clickjacking vulnerability (CVE-2012-2294)
A malicious user may exploit this vulnerability by constructing a specially crafted Web page disguised as legitimate content to conduct clickjacking attacks. The users clicks in the malicious page may perform unwanted actions.
CVSSv2 Base Score:6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Recommendation:
RSA strongly recommends all customers upgrade to RSA Archer GRC v5.3 or install 5.2SP1 at their earliest opportunity.
Credits:
RSA would like to thank Nello Coppeto at eMaze Network SpA (http://blog.emaze.net) for reporting issues under CVE-2012-1064.
