[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <AANLkTimhJu6sD1dnCz8X875kkueJQ8ERi_vTEeCWKRmZ@mail.gmail.com>
Date: Tue, 8 Jun 2010 16:13:22 -0400
From: Kyle Quest <kcq.lists@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: RSA Key Manager SQL injection Vulnerability (
CVE-2010-1904 )
The only problem is that the upgrade is not free, so you either pay up
or stay vulnerable. Great approach from a "great" security power house
:-) Imagine Microsoft saying, "this is not a problem in Windows 7, so
we recommend you pay up to upgrade to the latest version of Windows
and you should be all set" :-)
On Sat, Jun 5, 2010 at 9:08 AM, <Security_Alert@....com> wrote:
> What is the issue?
>
> This message is in response to the original message posted on June 3,
> 2010 addressing a SQL Injection vulnerability in the RSA Key Manager C
> Client version 1.5. The original message referenced CVE-2010-1904.
>
> A vulnerability has been identified in the RSA Key Manager (RKM) C
> client 1.5 that may expose the product to a SQL Injection attack. An
> attacker having access to encrypted data may be able to leverage this
> vulnerability in an attempt to alter the RKM C Client 1.5 cache.
>
> Affected Products:
> RKM C Client versions 1.5.x.x, all platforms (Windows, Linux, Solaris,
> HP-UX, etc).
>
> Unaffected Products:
> RKM C Client 2.0.x, all platforms
> RKM C Client 2.1.x, all platforms
> RKM C Client 2.2.x, all platforms
> RKM C Client 2.5.x, all platforms
> RKM C Client 2.7, all platforms
> All versions of RKM Java Client
> RKM PKCS#11 Module for LT0-4
> RKM PKCS#11 Module for Oracle TDE
> RKM Server, all versions and platforms
> RKM Appliance, all versions
> Customer using EMC PowerPath with RSA encryption
> Customer using Brocade Encryption Switches with RSA encryption
>
> What is the impact?
> An attacker can attempt to modify the cache to insert an arbitrary
> encryption key that may lead to data unavailability (such as decryption
> failure of data encrypted by that modified key).
>
> There is no impact on confidentiality of the data as the attacker would
> need the cache encryption key in order to decrypt the data.
>
> As of the date of this posting, RSA is not aware of any instances where
> this vulnerability may have been compromised nor are there signs of
> published exploit code.
>
> Recommendations
>
> RSA, The Security Division of EMC, recommends all customers upgrade to
> the latest version of RKM C Client and RKM Server/Appliance.
>
>
>
> EMC Product Security Response Center
> Email: security_alert@....com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists