A vulnerability in RSA Authentication Manager could allow an authenticated, remote attacker to conduct a SQL injection attack on a targeted system.
The vulnerability is due to insufficient validation of user-supplied input by the affected software. An attacker could exploit this vulnerability by submitting crafted parameter values to a targeted system. A successful exploit could allow the attacker to execute SQL commands on the database associated with the affected software, which could lead to additional attacks.
RSA has confirmed the vulnerability and released software updates.
CVE Number – CVE-2017-15546
To exploit this vulnerability, the attacker must authenticate to the affected software and may need access to trusted or internal networks. These access requirements could reduce the likelihood of a successful exploit.
Administrators are advised to apply the appropriate updates.
Administrators are advised to allow only trusted users to have network access.
Administrators are advised to monitor affected systems.
For additional information about SQL injection attacks and defenses, see Understanding SQL Injection.
RSA has released a security advisory at the following link: ESA-2018-002
RSA has released software updates for registered users at the following link: RSA Authentication Manager 8.2 SP1 Patch 7
The security vulnerability applies to the following combinations of products.
RSA Authentication Manager – 8.2 (SP1, SP1 P4, SP1 P6)