Question:Are the Centrify products affected by the following CVEs which are associated with the Linux backdoor named SpeakUp?
• CVE-2012-0874: JBoss Enterprise Application Platform Multiple Security Bypass Vulnerabilities
• CVE-2010-1871: JBoss Seam Framework remote code execution
• JBoss AS 3/4/5/6: Remote Command Execution
• CVE-2017-10271: Oracle WebLogic wls-wsat Component Deserialization RCE
• CVE-2018-2894: Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware.
• Hadoop YARN ResourceManager - Command Execution
• CVE-2016-3088: Apache ActiveMQ Fileserver File Upload Remote Code Execution Vulnerability.
External link to CVE documentation:
https://www.zdnet.com/article/security-researchers-discover-new-linux-backdoor-named-speakup/Answer:Centrify Infrastructure Services (previously known as Centrify Server Suite) is not affected by these CVEs as they are all for web applications.
The Centrify Privileged Access Service (PAS) is based on Internet Information Services (IIS) so it is also not affected by these CVEs