RSA Identifier: RSA-2025-10

CVE Identifier: CVE-2022-22950, CVE-2025-27533

Severity: Medium (CVE-2022-22950), HIGH (CVE-2025-27533)

Severity Rating:

• CVSS:3.0 - 6.5 /AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (CVE-2022-22950)
• CVSS:3.1 – 7.5/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (CVE-2025-27533)

Affected Products: RSA Governance & Lifecycle 8.0.0 P03 and later

Summary

1.  CVE-2022-22950 - This Vulnerability has been identified in the Spring Framework (spring-beans-4.x) used by the AFX module via its dependency on Apache ActiveMQ

Details

The issue affects Spring 4.x and may allow an authenticated user with access to AFX to submit specially crafted Spring Expression Language (SpEL) expressions that could result in a denial-of-service (DoS) condition.

There is no risk of data loss or unauthorized access associated with this vulnerability.

Impact

• • Successful exploitation requires authenticated access to AFX.
  • An attacker could cause temporary service disruption by consuming excessive resources.
  • Overall impact in the application is LOW.

2.  CVE-2025-27533 – This Vulnerability has been identified in the ActiveMQ used by the AFX module.

Details

The issue involves memory allocation with excessive size values, potentially leading to Denial of Service (DoS) or Out-of-Memory (OOM) conditions under specific load scenarios.

Impact

• • Due to multiple built-in controls within the application, including memory and message flow constraints, the overall impact remains LOW.
  • Memory usage is capped per queue/topic, with flow control to prevent overproduction.
  • Global and pending message limits protect against broker exhaustion, and frame size restrictions further reduce risk.
  • JMX access is restricted to local JVM scope only.

Mitigation

Until full remediation is available:

• Restrict access to AFX to prevent unauthorized users from exploiting this vulnerability.
• Ensure that only trusted internal actors can invoke AFX components.

Resolution

Remediation for both vulnerabilities requires upgrading Apache ActiveMQ to higher version (5.17.6 or later). This needs JDK version to be 11 or higher.

RSA is planning the following actions:

• Upgrade the Java runtime environment for AFX to version 11+.
• Post migration, Adopt ActiveMQ 5.17.6 or later which fixes both the CVEs.

These changes are under review and will be delivered in a future release.

Severity Rating

For an explanation of Severity Ratings, refer to the Security Advisories Severity Rating knowledge base article. RSA recommends all customers consider both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with a security vulnerability.

Legal Information

Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this advisory, contact RSA Technical Support. RSA Security LLC and its affiliates, including without limitation, distribute RSA Security Advisories in order to bring to the attention of users of the affected RSA products important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title, and non-infringement. In no event shall RSA, its affiliates, or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if RSA, its affiliates, or its suppliers have been advised of the possibility of such damages. Some jurisdictions do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.