AAF 6.3.4 Appliance and CVE-2020-12321

Document ID:7025095
Creation Date:04-May-2021
Modified Date:04-May-2021
- Micro Focus Products:
  Advanced Authentication

Environment

Advanced Authentication 6.3 SP4

AA 6.3.4

AAF Appliance

Situation

Vulnerability assessment run against AA 6.3.4 shows vulnerability to CVE-2020-12321

'SUSE Linux Enterprise Server 12-SP4-LTSS' is listed as an 'Affected' product in SUSE docs referenced in "additional information" below.

AAF 6.3.4 appliance uses SUSE 12 SP4.

Does this vulnerabilty affect Advanced Authentication?

Resolution

The Advanced Authentication appliance does not include all SLES RPMs. It includes just enough OS (JeOS) for what it needs to function. The RPM affected by the vulnerability is not installed on the AA appliance.

Even thought the AA 6.3.4 appliance uses SLES 12 SP4 LTSS, it does not use the part of SLES affected by vulnerability CVE-2020-12321.

This is a false positive. We assume the scanner must be identifying the OS and not the actual rpm that is vulnerable.

Additional Information

CVE-2020-12321 has been resolved by SUSE.

See https://www.suse.com/security/cve/CVE-2020-12321/ and

https://www.suse.com/support/update/announcement/2020/suse-su-20203353-1/