Novell Products/Services - Microsoft Security Advisory (973882)

  • 7005220
  • 25-Jan-2010
  • 30-Apr-2012

Environment

Novell Open Enterprise Server 2 (OES 2) Linux
Novell Open Enterprise Server (NetWare 6.5)
Novell ZENworks 7 Asset Management - ZAM7
Novell ZENworks 7 Desktop Management Support Pack 1 - ZDM7 SP1
Novell ZENworks 7 Desktop Management on Linux Support Pack 1 - ZDML7 SP1

Situation

Microsoft has reported a security issue in their development Microsoft Active Template Library (ATL).
 
Microsoft has requested developers using ATL to evaluate their use of any ATL controls or components and to take immediate action to evaluate a possible vulnerability.

This document covers the findings of the code review covering the products listed within.
 
For further information please see Microsoft Security Advisory (973882)

Resolution

Novell Client for Windows
The Novell Client for Windows does not create ATL-based COM components or controls that are eligible for exploiting the ATL-based COM vulnerability Microsoft has identified in Microsoft Security Advisory 973882. 

Therefore current shipping (and previously released) versions of the Novell Client for Windows Vista/2008 and Novell Client for Windows XP/2003 are not subject to the nature of the security vulnerability described by Microsoft Security Advisory 973882.

GroupWise Windows Client
Novell GroupWise development has thoroughly evaluated the use of ATL controls and components and have implemented Microsoft's fixes into the Windows Client of  GroupWise 7.0.3 Hot Patch 4 and the Windows Client of GroupWise 8.0.1 Hot Patch 1.  No other GroupWise components are vulnerable.
 
Novell recommends updating the GroupWise Windows client to the above mentioned patches.

iPrint
The Novell iPrint client code has been examined and found to not use any of the APIs or classes subject to exploitation by the ATL-based COM vulnerability identified in Microsoft Security Advisory 973882.

Therefore, current shipping (and previously released) versions of the Novell iPrint client are not subject to the nature of the security vulnerability described.

BorderManager
The Novell BorderManager code has been examined and found to not use any of the APIs or classes subject to the exploitation.

IDM
Identity Manager Roles Base Provisioning Module, including the IDM engine, the Remote Loader and all drivers were reviewed and found not to be affected by this Microsoft security vulnerability.

NetWare Server OS 6.5
The NetWare Server OS is not affected by this vulnerability.

NMAS
NMAS and NMAS Methods do not use the Microsoft ATL.

eDirectory 8.x
eDirectory was found to not use any of the APIs or classes subject to the exploitation.

iManager
iManager does not use any Active Template Libraries and is therefore unaffected.

Console One
Console One does not use any Active Template Libraries and is therefore unaffected.

ZENworks (ZDM/ZSM/ZAM and MiddleTier)
Both ZDM7 & ZSM7 are not impacted by this Microsoft security vulnerability:
Asset Management and Inventory is not affected in ZAM 7.5
NAL code base for ZDM7 is not affected by this security vulnerability.
The vulnerability does not affect ZEN 7 Remote Management. The only COM interface provided is with XTier (which uses proprietary implementation and is not affected by the vulnerability). There are no ActiveX controls as well.
Workstation Manager and AWI do not use the APIs affected.
Zen7 inventory server processes being in Java..we don't have any issue.
The netware scanner in ZENworks doesn't use COM.
WM policies code is not affected by the vulnerability.
Imaging Components doesn't have any code which falls for ATL vulnerabilities.
XTier will not be impacted by the ATL vulnerability, reason: XTier does not use ATL. The COM implementation in XTier is a Novell proprietary implementation and is not a derivative of MS COM implementation.