ESA-2016-001: RSA Security Analytics Security Update for Apache Commons Collections Vulnerability

Tags: RSA NetWitness Platform, Security Advisories

Advisory Type

Security

Advisory Content

EMC Identifier: ESA-2016-001

CVE Identifier: See Cert Advisory

Severity Rating: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Summary:

Apache Commons Collections, an embedded component within RSA Security Analytics, requires a security update to address an arbitrary code execution vulnerability.

Affected Products:

·         RSA Security Analytics 10.3.x

·         RSA Security Analytics 10.4.x

·         RSA Security Analytics 10.5.x

Description:

The Apache Commons Collections (ACC) library is vulnerable to insecure deserialization of data, which may result in arbitrary code execution. RSA Security Analytics doesn’t use ACC's deserialization functionality; however, it contains ACC in its classpath which might make it vulnerable to arbitrary code execution.

For more information about this vulnerability, see https://www.kb.cert.org/vuls/id/576313​

Recommendation:

The following RSA Security Analytics releases contain resolution to this vulnerability:

·         RSA Security Analytics version 10.4.1.4

·         RSA Security Analytics version 10.3.5 ESA Hot Fix

RSA recommends all customers upgrade at the earliest opportunity. For the SA 10.3.5 ESA Hot Fix please contact Customer Support.

This security advisory will be updated as soon as a fix is available for RSA Security Analytics 10.5.x

EOPS Policy:

RSA has a defined End of Primary Support policy associated with all major versions. Please refer to the link below for additional details.
Product Version Life Cycle