How has NetIQ addressed the ZDI “Installation Defaults” Report for AppManager (ZDI ID: ZDI-14-2139)?

  • 7015459
  • 31-Jul-2014
  • 04-Aug-2014

Environment

NetIQ AppManager Enterprise 8.2

Situation

On May 5, 2014, the Zero Day Initiative (http://www.zerodayinitiative.com as found by Anonymous) identified a stale link on the NetIQ AppManager download web site along with a potential security vulnerability concerning the default security options selected when installing the NetIQ AppManager product.  The ZDI ID is ZDI-14-2139.

Resolution

In response to this report, NetIQ has made the following changes to the NetIQ product (AppManager) and the AppManager download web site:

  1. Customers who install the product will be required to make a security level choice during installation. The user can decide to communicate unencrypted or without additional authentication. The installer dialog has also been modified to provide information that may help the user to make an appropriate decision for their environment.

  2. We have also made changes to the agent installation. During Agent installation, when the user configures the Management Servers that an Agent can communicate with, the installer will configure the Agent to use only the specified Management Servers.  The installer will no longer allow Agents to accept Anonymous Management Servers during Agent installation.   The Agent will refuse any commands sent to it by any Management Server, unless the Management Server is in the list of allowed Management Servers.  Users can add more Management Servers to that configuration after the initial setup.

  3. The download referenced in the report was referring to a stale link.  We have addressed the issue by removing that link from our download web site.

We believe that these changes should address any concerns regarding default configurations.  Given the nature of these changes, we are planning on replacing the AppManager 8.2 download package on our website, on or about July 31st.  There is no reason for an existing customer to re-install AppManager with this updated installer, unless they believe they have incorrectly selected their security communication settings. 

For additional information or questions, please contact NetIQ Technical Support.