ZAM 7.5 SQL Infection Vulnerability

  • 7005128
  • 12-Jan-2010
  • 27-Apr-2012


Novell ZENworks 7.5 Asset Management - ZAM7.5


A vulnerability has been reported which allows remote attackers to execute arbitrary code on vulnerable installations of Novell ZAM7.5
A carefully crafted parameter can result in direct SQL access to the underlying SQL Server database which can be further leveraged by an attacker to potentially execute arbitrary code.


Fixed in ZENworks Asset Management 7.5 Interim Release IR19 or newer

Interim Releases can be scheduled to run automatically or can be downloaded manually at The Interim releases can be set up within the ZAM Manager for the Task server to check the site on a scheduled basis, and download and apply them automatically. Please refer to the Help Section details of how to set up automatic downloads if desired.

Each interim release is cumulative. If Interim Release IR19 is not available due to a newer interim release being placed on the website, be assured that the code needed is in the later release.


Security Alert

Additional Information

Information reported by Tippingpoint ZDI-CAN-457
This vulnerability was discovered by:  Anonymous