8.3 - Authentication Manager - Apache Struts
Is there any specific information regarding the most recent service pack, in regards to where the vulnerabilities are? Does this affect the base Authentication manager, or is it limited to the self-service console or web tier software?
Cannot seem to find any detail on the potential problems with 8.2.
- Auth Manager
- Authentication Manager
- Community Thread
- Forum Thread
- rsa advisories
- RSA Authentication Manager
- RSA SecurID
- RSA SecurID Access
- RSA Security Advisory
Following up on this. We're on 8.2 sp 1 patch 6 and I was planning to upgrade to patch 8 this week. Now, we got 8.3. I am hesitant to jump to a whole new version if this vulnerability doesn't affect us.
My apologies for the delayed reply.
Please review DSA-2018-026 RSA® Authentication Manager Security Update for Vulnerabilities in Apache Struts, which states "RSA has released RSA Authentication Manager 8.3 that includes an update to resolve multiple security vulnerabilities in the embedded Apache Struts component."
- If your Authentication Manage systems are at 8.2 SP1 patch 6, you will not lose any fixes when you upgrade to 8.3.
- If you are running 8.2 SP1 patch 7 or 8, you will lose the software fixes in those versions when installing 8.3.
Authentication Manager 8.3 patch 1 will be released in a month or so and will contain the fixes in 8.2 SP1 patch 7 and patch 8.
Ok, the question I was trying to get answered is this. In the document you mentioned, under "affected products", it list 8.2 Patch 8, which is the latest patch that was released about the same time as 8.3. I would prefer to wait for patch 1 of 8.3 to come out before going there. Will there be a patch for 8.2 that corrects the vulnerability, or will we "have to" go to 8.3?
That is all.
RSA Authentication Manager 8.2 SP1 Patch 8 and earlier are impacted by the vulnerability and
RSA Authentication Manager 8.3 and later contains a resolution for these issues, to address DSA-2018-026 (CVE-2016-1181, CVE-2016-1182) resolving multiple security vulnerabilities in the embedded Apache Struts component.
You may want to wait for AM 8.3 Patch 1 if you wanted everything from AM 8.2 SP1 P8. Whether you need everything or not is a separate question, but
RSA recommends all customers upgrade to RSA Authentication Manager 8.3 at the earliest opportunity.