Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Access Administration
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Access Gateway Service
Novell Access Manager 3.1 Support Pack 3 applied
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Access Administration
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Access Gateway Service
Novell Access Manager 3.1 Support Pack 3 applied
Situation
CVE-2011-2729 was recently reported as fixed by the Apache Software Foundation. The fix was included in Tomcat 5.5-34. Access Manager ships with 5.5.30, whcih does not include the fix for this vulnerability. Is Novell Access Manager 3.1 SP3 susceptible to this vulnerability which only occurs when all of the following are true:
- Tomcat is running on a Linux operating system
- jsvc was compiled with libcap
- -user parameter is used
Resolution
Novell ACcess Manager components do NOT use the jsvc to launch the java applications, and is therefor not susceptible to the vulnerability. To check if jsvc is used, one could do
"ps -ef | grep catalina"
"ps -ef | grep catalina"
and check whether the "jsvc" flag is being used.