Environment
NetIQ Access Manager 4.0
NetIQ Access Manager 4.0 Support Pack 1 HF2 applied
NetIQ Access Manager 4.0 Admin Console
CVE-2014-5215
NetIQ Access Manager 4.0 Support Pack 1 HF2 applied
NetIQ Access Manager 4.0 Admin Console
CVE-2014-5215
Situation
The following URLs disclose several useful pieces of information to an authenticated
administrator:
https://<host>:8443/roma/jsp/volsc/monitoring/dev_services.jsp
https://<host>:8443/roma/jsp/debug/debug.jsp
The disclosed system properties:
com.volera.vcdn.monitor.password
com.volera.vcdn.alert.password
com.volera.vcdn.sync.password
com.volera.vcdn.scheduler.password
com.volera.vcdn.publisher.password
com.volera.vcdn.application.sc.scheduler.password
com.volera.vcdn.health.password
The static string "k~jd)*L2;93=Gjs" is XORed with these values in order to decrypt passwords of internally used service accounts.
https://<host>:8443/roma/jsp/volsc/monitoring/dev_services.jsp
https://<host>:8443/roma/jsp/debug/debug.jsp
The disclosed system properties:
com.volera.vcdn.monitor.password
com.volera.vcdn.alert.password
com.volera.vcdn.sync.password
com.volera.vcdn.scheduler.password
com.volera.vcdn.publisher.password
com.volera.vcdn.application.sc.scheduler.password
com.volera.vcdn.health.password
The static string "k~jd)*L2;93=Gjs" is XORed with these values in order to decrypt passwords of internally used service accounts.
Resolution
Apply Access Manager 4.0 Support Pack 1 Hot Fix 3 or greater to avoid the issue.
Additional Information
NetIQ thanks Wolfgang Ettlinger (discovery, analysis, coordination) from the SEC Consult Vulnerability Lab (https://www.sec-consult.com/) for responsibly reporting the identified issues and working with us as we addressed them.