Environment
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Access Gateway Server
Novell Access Manager 3.1 SSLVPN Server
Novell Access Manager 3.1 Java Agents
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Access Gateway Server
Novell Access Manager 3.1 SSLVPN Server
Novell Access Manager 3.1 Java Agents
Situation
Access Manager 3.2 did not ship with the latest Java 1.6.0.31 build. A number of vulnerabilities have been addressed on this new Java release. There are concerns that the CVEs reported to be fixed in this latest Java release will impact the security of Access Manager.
Resolution
There are no fixes in the Java 1.6.0.31 that can apply to Access Manager components directly. Almost all the vulnerabilities fixed are client side and not server side vulnerabilities. The only client side application Access Manager ships is the SSLVPN client, and the client host should be updated with the latest Java patches. Since our SSL VPN uses signed applet, the impact of the client side CVEs are very minimal.