RSA-2024-08: RSA Governance and Lifecycle Critical Security Update for Unauthenticated JMX Agent and Older Version of Log4j 1.x
RSA-2024-08: RSA Governance and Lifecycle Critical Security Update for Unauthenticated JMX agent and older version of log4j 1.x
RSA Identifier: RSA-2024-08
CVE Identifier: See Advisory
Severity: Critical
Severity Rating: See NVD (http://nvd.nist.gov/home.cfm) for individual scores for each CVE
Affected products:
Summary:
RSA Governance and Lifecycle (G&L) requires security updates to address the following security vulnerability in the AFX module.
Recommendation:
The following RSA Governance and Lifecycle software release contains resolutions to these vulnerabilities:
RSA strongly recommends upgrading the application at the earliest to 8.0.0 P03 HF01 for remediation. Customers currently on SecurID Governance & Lifecycle 7.5.2 release, need to upgrade to 8.0.0 and then apply the P03 HF01 hotfix for remediation.
Severity Rating:
Severity Ratings refer to the Security Advisories Severity Rating knowledge base article. RSA recommends that all customers consider both the base score and any relevant temporal and environmental scores that may impact the potential severity of security vulnerability.
Legal Information:
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Technical Support . RSA Security LLC and its affiliates, including without limitation, distribute RSA Security Advisories to bring important security information to the attention of users of the affected RSA products. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA, its affiliates, or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates, or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
RSA Identifier: RSA-2024-08
CVE Identifier: See Advisory
Severity: Critical
Severity Rating: See NVD (http://nvd.nist.gov/home.cfm) for individual scores for each CVE
Affected products:
- RSA Governance and Lifecycle – 8.0.0 GA till 8.0.0 P03 patch
- SecurID Governance and Lifecycle – 7.5.2 (all patches)
Summary:
RSA Governance and Lifecycle (G&L) requires security updates to address the following security vulnerability in the AFX module.
- Java JMX insecure communication – A Java JMX agent running on the AFX server host is configured without SSL client and password authentication. An unauthenticated, remote attacker can connect to the JMX agent and monitor and manage the Java application that has enabled the agent.
- Log4j 1.x (CVE-2021-4104) – Older version of log4j 1.x was found in the application which required clean-up.
Recommendation:
The following RSA Governance and Lifecycle software release contains resolutions to these vulnerabilities:
- RSA Governance and Lifecycle 8.0.0 P03 HF01 (HotFix)
RSA strongly recommends upgrading the application at the earliest to 8.0.0 P03 HF01 for remediation. Customers currently on SecurID Governance & Lifecycle 7.5.2 release, need to upgrade to 8.0.0 and then apply the P03 HF01 hotfix for remediation.
Severity Rating:
Severity Ratings refer to the Security Advisories Severity Rating knowledge base article. RSA recommends that all customers consider both the base score and any relevant temporal and environmental scores that may impact the potential severity of security vulnerability.
Legal Information:
Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Technical Support . RSA Security LLC and its affiliates, including without limitation, distribute RSA Security Advisories to bring important security information to the attention of users of the affected RSA products. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall RSA, its affiliates, or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA, its affiliates, or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.
Related Articles
Old connector Log4j files not removed in RSA Governance & Lifecycle Number of Views FIM - Log4j memory leak Number of Views Enterprise Manager Log settings: EM.log - log4j.xml Number of Views The audit.log is not logging to the proper location defined in the log4j.xml Number of Views CVE-2021-41617 Security vulnerability for RSA Authentication Manager 8.6.x Number of Views
Trending Articles
RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide Downloading RSA Authentication Manager license files or RSA Software token seed records RSA Authentication Manager 8.9 Release Notes (January 2026) Download RSA SecurID Access Cloud User Event audit logs using Cloud Administration REST API CLU RSA MFA Agent 2.3.6 for Microsoft Windows Release Notes
Don't see what you're looking for?
