NetIQ Access Manager 3.2 SP1 shipping with older JDK 1.6.0_30

  • 7011405
  • 21-Nov-2012
  • 21-Nov-2012

Environment

NetIQ Access Manager 3.2 SP1 Administration Console
NetIQ Access Manager 3.2 SP1 Identity Server
NetIQ Access Manager 3.2 SP1 Access Gateway
NetIQ Access Manager 3.2 SP1 SSLVPN
NetIQ Access Manager 3.2 SP1 Java Agents

Situation

Access Manager 3.2 SP1 shipped with a version of the JDK 1.6.0_30. At the time of shipping, Oracle has released JDK 1.6.0_32, which included fixes to a number of vulnerabilities. When running a security scan against all Access Manager components, the security scanner reported that these components were susceptible to the vulnerabilities fixed on the latest JDK. The full list of fixed vulnerabilities is documented at http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html, although the security scan reported the following 8 CVEs that related to Access Manager:

# CVE-2012-1724 OpenJDK: XML parsing infinite loop (JAXP, 7157609)
# CVE-2012-1718 OpenJDK: CRL and certificate extensions handling improvements (Security, 7143872)
# CVE-2012-1720 is also unspecified in networking component which affects both server and client code.
# CVE-2012-1725 OpenJDK: insufficient invokespecial <init> verification (HotSpot, 7160757)
# CVE-2012-1723 OpenJDK: insufficient field accessibility checks (HotSpot, 7152811)


Resolution

None of these issues apply to Access Manager 3.12 SP1. The JAXP CVE involves XML processing, which NAM does heavily, but the Identity and Service Provider Servers use the xerces implementation and not the default implementation shipped with the JRE that is suscepetible to the issue.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.