CVE-2021-33615 – CVE-2021-33615 is an unrestricted file upload v... (How to Fix)

Q: What is the severity of CVE-2021-33615?

CVE-2021-33615 has a CVSS score of 7.5 (HIGH). CVE-2021-33615 is an unrestricted file upload vulnerability in RSA Archer 6.8 that allows attackers to upload malicious files to the server. This affects organizations using RSA Archer 6.8.00500.1003 P5 for GRC (governance, risk, and compliance) management. Successful exploitation could lead to remote code execution or server compromise.

📋 TL;DR

CVE-2021-33615 is an unrestricted file upload vulnerability in RSA Archer 6.8 that allows attackers to upload malicious files to the server. This affects organizations using RSA Archer 6.8.00500.1003 P5 for GRC (governance, risk, and compliance) management. Successful exploitation could lead to remote code execution or server compromise.

💻 Affected Systems

Products:

RSA Archer

Versions: 6.8.00500.1003 P5

Operating Systems: Windows Server, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects RSA Archer GRC platform installations with the vulnerable version.

📦 What is this software?

Archer by Rsa

View all CVEs affecting Archer →

Archer by Rsa

View all CVEs affecting Archer →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

File upload leading to web shell deployment, data manipulation, or denial of service.

🟢

If Mitigated

Limited impact with proper file validation and server hardening in place.

🌐 Internet-Facing: HIGH - If Archer is exposed to the internet, attackers can directly exploit this vulnerability.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this for lateral movement.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is straightforward once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.8.00500.1003 P6 and later

Vendor Advisory: https://community.rsa.com/t5/archer-product-advisories/tkb-p/archer-product-advisories

Restart Required: Yes

Instructions:

1. Download the latest patch from RSA support portal. 2. Backup Archer configuration and database. 3. Apply the patch following RSA's installation guide. 4. Restart Archer services. 5. Verify patch installation.

🔧 Temporary Workarounds

File Upload Restriction

all

Implement strict file type validation and upload restrictions at the web application level.

Network Segmentation

all

Restrict network access to Archer instances to only necessary users and systems.

🧯 If You Can't Patch

Implement strict file upload validation and whitelist allowed file types
Deploy WAF rules to block malicious file uploads and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Archer version in Administration → System Configuration → About. If version is 6.8.00500.1003 P5, system is vulnerable.

Check Version:

Check via Archer web interface: Administration → System Configuration → About

Verify Fix Applied:

Verify version is 6.8.00500.1003 P6 or later. Test file upload functionality with restricted file types.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to Archer server
Files with executable extensions in upload directories
Failed authentication attempts followed by successful uploads

Network Indicators:

HTTP POST requests with file uploads to Archer endpoints
Unusual outbound connections from Archer server

SIEM Query:

source="archer_logs" AND (event="file_upload" AND file_extension IN ("php", "jsp", "asp", "exe", "dll"))

📊 Metadata

CVE ID: CVE-2021-33615

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: June 2, 2022

Last Updated: November 21, 2024

🔗 References

https://community.rsa.com/t5/archer-product-advisories/tkb-p/archer-product-advisories Broken Link,Vendor Advisory
https://github.com/fireeye/Vulnerability-Disclosures Third Party Advisory
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0027/MNDT-2022-0027.md Third Party Advisory
https://community.rsa.com/t5/archer-product-advisories/tkb-p/archer-product-advisories Broken Link,Vendor Advisory
https://github.com/fireeye/Vulnerability-Disclosures Third Party Advisory
https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2022/MNDT-2022-0027/MNDT-2022-0027.md Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33615, you might also want to check these: