RE: RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904

看板Bugtraq作者kyle.時間15年前 (2010/06/10 02:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

The only problem is that the upgrade is not free=2C so you either pay up or= stay vulnerable. > Date: Sat=2C 5 Jun 2010 08:38:55 -0600 > From: security_alert@emc.com > To: bugtraq@securityfocus.com > Subject: Re: RSA Key Manager SQL injection Vulnerability ( CVE-2010-1904 = ) >=20 > What is the issue? >=20 > This message is in response to the original message posted on June 3=2C 2= 010 addressing a SQL Injection vulnerability in the RSA Key Manager C Clien= t version 1.5. The original message referenced CVE-2010-1904. >=20 > A vulnerability has been identified in the RSA Key Manager (RKM) C client= 1.5 that may expose the product to a SQL Injection attack. An attacker hav= ing access to encrypted data may be able to leverage this vulnerability in = an attempt to alter the RKM C Client 1.5 cache. >=20 > Affected Products: > RKM C Client versions 1.5.x.x=2C all platforms (Windows=2C Linux=2C Solar= is=2C HP-UX=2C etc). >=20 > Unaffected Products: > RKM C Client 2.0.x=2C all platforms > RKM C Client 2.1.x=2C all platforms > RKM C Client 2.2.x=2C all platforms > RKM C Client 2.5.x=2C all platforms > RKM C Client 2.7=2C all platforms > All versions of RKM Java Client > RKM PKCS#11 Module for LT0-4 > RKM PKCS#11 Module for Oracle TDE > RKM Server=2C all versions and platforms > RKM Appliance=2C all versions > Customer using EMC PowerPath with RSA encryption > Customer using Brocade Encryption Switches with RSA encryption >=20 > What is the impact? > An attacker can attempt to modify the cache to insert an arbitrary encryp= tion key that may lead to data unavailability (such as decryption failure o= f data encrypted by that modified key).=20 >=20 > There is no impact on confidentiality of the data as the attacker would n= eed the cache encryption key in order to decrypt the data. >=20 > As of the date of this posting=2C RSA is not aware of any instances where= this vulnerability may have been compromised nor are there signs of publis= hed exploit code. >=20 > Recommendations >=20 > RSA=2C The Security Division of EMC=2C recommends all customers upgrade t= o the latest version of RKM C Client and RKM Server/Appliance. >=20 >=20 >=20 > EMC Product Security Response Center > Email: security_alert@emc.com=20 =20 _________________________________________________________________ The New Busy is not the too busy. Combine all your e-mail accounts with Hot= mail. http://www.windowslive.com/campaign/thenewbusy?tile=3Dmultiaccount&ocid=3DP= ID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4=

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 kyle. 的文章

文章代碼(AID): #1C3zRXeo (Bugtraq)