Poodle Bite Sandworm .Net MS14-057 OpenSSL Vulnerabilities and Impact in RSA products

2 years ago

Originally Published: 2014-10-15

Article Number

000048342

Applies To

Microsoft .Net
Sandworm
CVE-2014-6271
Poodle Bite
OpenSSL
SSL v3
SSL v3 CBC

Issue

Poodle Bite Vulnerability in RSA products
.Net Vulnerability in RSA products
Sandworm Vulnerability in RSA products
OpenSSL Vulnerability in RSA products

Cause

EMC CONFIDENTIAL SUBJECT TO NON-DISCLOSURE AGREEMENT/CONFIDENTIALITY PROVISIONS IN LICENSE AGREEMENT

Issue: SSL v3 CBC Poodle Bite (CVE-2014-3566), Windows Sandworm (CVE-2014-4114), Microsoft .Net (MS14-057) & multiple OpenSSL Vulnerabilities (OpenSSL)

References:

SandWorm CVE-2014-4114
POODLE CVE-2014-3566
OpenSSL
- SRTP Memory Leak CVE-2014-3513
- Session Ticket Memory Leak CVE-2014-3567
- SSL 3.0 Fallback protection (Poodle in OpenSSL implementation) CVE-2014-3566
- Build option no-ssl3 is incomplete CVE-2014-3568
Microsoft Security Bulletin MS14-057 - Vulnerabilities in .NET Framework Could Allow Remote Code Execution - comprised of the following:
- .NET ClickOnce Elevation of Privilege Vulnerability - CVE-2014-4073
- .NET Framework Remote Code Execution Vulnerability - CVE-2014-4121
- .NET ASLR Vulnerability - CVE-2014-4122

Resolution

Resolution: RSA is aware of this issue and working with product organizations to investigate the issue and identify any impact. The impact of this vulnerability on RSA products may vary depending on the affected product.

Sandworm information:
RSA enVision is impacted by Sandworm and remediation is currently being investigated

Microsoft .Net (MS14-057) information:
Customers utilizing Archer Platform are urged to update .Net framework to the latest available security updates from Microsoft

This table will be updated as additional information becomes available.

RSA Product Name	Versions	Poodle Bite Impact	OpenSSL Impact	Additional Information
3D Secure	ALL Supported	Remediated	N/A
Access Manager	ALL Supported	Not Impacted	Not Impacted
Adaptive Authentication Hosted	ALL Supported	Remediated		SSLv3 Disabled on 11/16
Adaptive Authentication On Prem	ALL Supported	Not Impacted
Archer Hosted	N/A	Remediated	N/A	Does not use OpenSSL
Archer Platform	ALL Supported	Not Impacted	N/A	Does not use OpenSSL
Archer SecOps	ALL Supported	Investigating
Archer Vulnerability & Risk Manager (VRM)	ALL Supported	Investigating
Authentication Manager Software Platform	6.1	Not Impacted	Not Impacted
Authentication Manager Software Platform	7.1	Impacted - Remediation under investigation	Not Impacted
Authentication Manager Appliance	3.0	Impacted - Remediation under investigation	Not Impacted
Authentication Manager Appliance	8.0, 8.1, 8.2	Not Impacted	Not Impacted	Includes Web Tier
Authentication Manager Express	1.0	Impacted - Remediation under investigation	Not Impacted
BSAFE	ALL Supported	Not Impacted	Not Impacted
Data Loss Protection	ALL Supported	Not Impacted	Not Impacted
Data Protection Manager	ALL Supported	Not Impacted	Not Impacted
Digital Certificate Server	ALL Supported	Not Impacted	Not Impacted
ECAT	ALL Supported	Remediated	Not Impacted	See Solution ID 28901
enVision	ALL Supported	Impacted - Remediation planned for future release	Not Impacted
Federated Identity Manager	ALL Supported	Not Impacted
FraudAction	ALL Supported	Not Impacted
IMG (Aveksa) Hosted	ALL Supported	Not Impacted	Not Impacted
IMG (Aveksa) On-Prem Platform	ALL Supported	Not Impacted	Not Impacted
IMG (Aveksa) Appliance	ALL Supported	Remediated		See solution ID 29019
IMG (Aveksa) StealthAudit	ALL Supported	Investigating
Netwitness	9.7.x, 9.8.x	Remediated		Resolved with Q3 Security Update EL5 platform must upgrade to EL6
Netwitness Informer	1.x	Impacted - Remediation under investigation
RSA Live Infrastructure	ALL Supported	Remediated
SecurID 700 Hardware Token	ALL Supported	N/A	N/A
SecurID 800 Hardware Token	ALL Supported	N/A	N/A
SecurID Agent for PAM	ALL Supported	Not Impacted	Not Impacted
SecurID Agent for UNIX	ALL Supported	Not Impacted	Not Impacted
SecurID Agent for Web	ALL Supported	Not Impacted	Not Impacted
SecurID Agent for Windows	ALL Supported	Not Impacted	Not Impacted
SecurID Authentication Engine	ALL Supported	Not Impacted	Not Impacted
SecurID Authentication SDK	ALL Supported	Not Impacted	Not Impacted
SecurID Software Token Converter	ALL Supported	Not Impacted	Not Impacted
SecurID Software Token for Android	ALL Supported	Not Impacted	Not Impacted
SecurID Software Token for Blackberry	ALL Supported	Not Impacted	Not Impacted
SecurID Software Token for Desktop	ALL Supported	Not Impacted	Not Impacted
SecurID Software Token for iPhone	ALL Supported	Not Impacted	Not Impacted
SecurID Software Token for Windows Mobile	ALL Supported	Not Impacted	Not Impacted
SecurID Software Token Toolbar	ALL Supported	Not Impacted	Not Impacted
SecurID Software Token Web SDK	ALL Supported	Not Impacted	Not Impacted
SecurID Transaction SigningSDK	ALL Supported	Not Impacted	Not Impacted
Security Analytics Platform Physical and Virtual Appliances	10.0.x-10.4.x	Remediated		Resolved with Q3 Security Update
Security Analytics Malware Analytics	10.0.x-10.4.x	Remediated		Resolved with Q3 Security Update
Security Analytics Malware Cloud	N/A	Remediated	Not Impacted
Security Analytics (Windows Legacy Collector)	10.0.x-10.4.x	Investigating
Security Analytics Warehouse (DCA Pivotal)		Remediated		Pivotal patch available
Security Analytics Warehouse (MapR)		Investigating
Spectrum	1.x	Impacted - Remediation under investigation
Web Threat Detection (Silvertail)	ALL Supported	Remediated

Workaround

Don't see what you're looking for?

Potential Impact from Salesforce Device Activation Change

Related Articles

Trending Articles