[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 )



The only problem is that the upgrade is not free, so you either pay up or stay vulnerable.

> Date: Sat, 5 Jun 2010 08:38:55 -0600
> From: security_alert@xxxxxxx
> To: bugtraq@xxxxxxxxxxxxxxxxx
> Subject: Re: RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 )
> 
> What is the issue?
> 
> This message is in response to the original message posted on June 3, 2010 addressing a SQL Injection vulnerability in the RSA Key Manager C Client version 1.5.  The original message referenced CVE-2010-1904.
> 
> A vulnerability has been identified in the RSA Key Manager (RKM) C client 1.5 that may expose the product to a SQL Injection attack. An attacker having access to encrypted data may be able to leverage this vulnerability in an attempt to alter the RKM C Client 1.5 cache.
> 
> Affected Products:
> RKM C Client versions 1.5.x.x, all platforms (Windows, Linux, Solaris, HP-UX, etc).
> 
> Unaffected Products:
> RKM C Client 2.0.x, all platforms
> RKM C Client 2.1.x, all platforms
> RKM C Client 2.2.x, all platforms
> RKM C Client 2.5.x, all platforms
> RKM C Client 2.7, all platforms
> All versions of RKM Java Client
> RKM PKCS#11 Module for LT0-4
> RKM PKCS#11 Module for Oracle TDE
> RKM Server, all versions and platforms
> RKM Appliance, all versions
> Customer using EMC PowerPath with RSA encryption
> Customer using Brocade Encryption Switches with RSA encryption
> 
> What is the impact?
> An attacker can attempt to modify the cache to insert an arbitrary encryption key that may lead to data unavailability (such as decryption failure of data encrypted by that modified key). 
> 
> There is no impact on confidentiality of the data as the attacker would need the cache encryption key in order to decrypt the data.
> 
> As of the date of this posting, RSA is not aware of any instances where this vulnerability may have been compromised nor are there signs of published exploit code.
> 
> Recommendations
> 
> RSA, The Security Division of EMC, recommends all customers upgrade to the latest version of RKM C Client and RKM Server/Appliance.
> 
> 
> 
> EMC Product Security Response Center
> Email: security_alert@xxxxxxx 
 		 	   		  
_________________________________________________________________
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4