Is Access Manager vulnerable to ‘Shellshock’ Vulnerabilities CVE-2014-6271 and CVE-2014-7169

  • 7015693
  • 25-Sep-2014
  • 09-Oct-2014

Environment


NetIQ Access Manager 4.0
NetIQ Access Manager 3.2

Situation

A recent Linux vulnerability was reported at http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 and http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169, where bash specially-crafted environment variables could be used to do a code injection attack. Specific details on the vulnerability were reported at https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/.

NetIQ Access Manager administrators are worried that this will effect their setups.

Resolution

NetIQ Access Manager is not effected by this vulnerability - there are no NAM interfaces that use the vulnerable shell that can be exploited via the network. The scripts that are launched when an update is applied on the Access Gateway or Access Manager appliance is secured by mutual x509 authentication (applying updates via JCC) where both sides (Admin Console and Access Gateway) must present and validate the certs.

As most setups dictate (best practice too) that the latest security updates must be applied, the SLES security updates with the fix for this vulnerability have been posted to the NAM security update channel. Just use the NAM appliance or AG appliance update channel to apply the fix.

Note for Access Manager 3.2 SP3+ customers: To get the latest OS security updates, one must update the AG appliance from the SLES 11 SP1 base 3.2 shipped with, to the SLES11 SP3 code base that all security updates are available for. The instructions to upgrade the appliance OS are available from https://www.netiq.com/documentation/netiqaccessmanager32/installation/data/b1anabi2.html. Once done, the new 3.2.3 channel must be registered as per https://www.netiq.com/documentation/netiqaccessmanager32/installation/data/bowu0lh.html.

Additional Information

Access Manager 3.1 Access Gateway, running on SLES11, does not have an update for these vulnerabilities via the security update channel. The SLES team no longer supports SLES 11 (SLES11 SP1 onwards is what is supported) but has released a patch for this vulnerability. The patch is available at https://download.suse.com/protected/Summary.jsp?buildid=nNXClbWqawg and must be manually installed (need SLES11 version without any SP).

Since NAM is not effected, the risk is minimal.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.