CVE-2019-18572
📋 TL;DR
CVE-2019-18572 allows unauthenticated remote attackers to connect to Java JMX agents in RSA Identity Governance and Lifecycle/Via Lifecycle and Governance products using plain text passwords. This enables monitoring and management of Java applications without authentication. Organizations running affected RSA products prior to version 7.1.1 P03 are vulnerable.
💻 Affected Systems
- RSA Identity Governance and Lifecycle
- RSA Via Lifecycle and Governance
📦 What is this software?
Rsa Identity Governance And Lifecycle by Dell
View all CVEs affecting Rsa Identity Governance And Lifecycle →
Rsa Identity Governance And Lifecycle by Dell
View all CVEs affecting Rsa Identity Governance And Lifecycle →
Rsa Identity Governance And Lifecycle by Dell
View all CVEs affecting Rsa Identity Governance And Lifecycle →
Rsa Identity Governance And Lifecycle by Dell
View all CVEs affecting Rsa Identity Governance And Lifecycle →
Rsa Identity Governance And Lifecycle by Dell
View all CVEs affecting Rsa Identity Governance And Lifecycle →
Rsa Identity Governance And Lifecycle by Dell
View all CVEs affecting Rsa Identity Governance And Lifecycle →
Rsa Identity Governance And Lifecycle by Dell
View all CVEs affecting Rsa Identity Governance And Lifecycle →
Rsa Identity Governance And Lifecycle by Dell
View all CVEs affecting Rsa Identity Governance And Lifecycle →
Rsa Identity Governance And Lifecycle by Dell
View all CVEs affecting Rsa Identity Governance And Lifecycle →
Rsa Identity Governance And Lifecycle by Dell
View all CVEs affecting Rsa Identity Governance And Lifecycle →
Rsa Identity Governance And Lifecycle by Dell
View all CVEs affecting Rsa Identity Governance And Lifecycle →
Rsa Identity Governance And Lifecycle by Dell
View all CVEs affecting Rsa Identity Governance And Lifecycle →
Rsa Identity Governance And Lifecycle by Dell
View all CVEs affecting Rsa Identity Governance And Lifecycle →
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the RSA governance system, allowing attackers to execute arbitrary code, steal sensitive identity data, manipulate user permissions, and pivot to other systems in the network.
Likely Case
Unauthorized access to JMX management functions, enabling attackers to monitor application performance, modify configurations, deploy malicious code, and potentially escalate privileges within the application.
If Mitigated
Limited impact with proper network segmentation and authentication controls, though the vulnerability still exposes management interfaces to potential abuse.
🎯 Exploit Status
Exploitation requires only JMX client tools (like JConsole or JMXTerm) and knowledge of the JMX port. No special exploit code needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 7.1.1 P03 or later
Vendor Advisory: https://community.rsa.com/docs/DOC-109310
Restart Required: Yes
Instructions:
1. Download patch 7.1.1 P03 or later from RSA support portal. 2. Backup current configuration and data. 3. Apply patch following RSA installation guide. 4. Restart all RSA services. 5. Verify JMX authentication is properly configured.
🔧 Temporary Workarounds
Disable JMX Remote Access
allDisable remote JMX connections entirely if not required for monitoring
Edit Java startup parameters to remove: -Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=PORT
-Dcom.sun.management.jmxremote.authenticate=false
Enable JMX Authentication with SSL
allConfigure JMX with proper authentication and SSL encryption
Set Java parameters: -Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.password.file=/path/to/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/path/to/jmxremote.access
🧯 If You Can't Patch
- Implement strict network segmentation to isolate RSA systems from untrusted networks
- Configure firewall rules to block all inbound connections to JMX ports (default 1099, 9010)
🔍 How to Verify
Check if Vulnerable:
Check if JMX is enabled without authentication by running: netstat -an | grep LISTEN | grep -E '(1099|9010)' and verify Java startup parameters contain -Dcom.sun.management.jmxremote.authenticate=falseCheck Version:
Check RSA product version through admin console or product documentationVerify Fix Applied:
Attempt to connect to JMX port using JConsole or JMXTerm without credentials - connection should be rejected. Verify version is 7.1.1 P03 or later.📡 Detection & Monitoring
Log Indicators:
- Failed JMX authentication attempts
- Unauthorized JMX connections in Java application logs
- Unexpected JMX MBean operations
Network Indicators:
- Unencrypted JMX traffic on ports 1099/9010
- JMX connections from unexpected IP addresses
- JMX protocol anomalies
SIEM Query:
source="*java*" AND ("JMX" OR "com.sun.management.jmxremote") AND ("authentication failed" OR "unauthorized access")