Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager 4.0
Situation
CVE-2014-3569 outlines a new vulnerability against OpenSSL. The ssl23_get_client_hello function in s23_srvr.c in OpenSSL 1.0.1j does
not properly handle attempts to use unsupported protocols, which allows
remote attackers to cause a denial of service (NULL pointer dereference
and daemon crash) via an unexpected handshake, as demonstrated by an
SSLv3 handshake to a no-ssl3 application with certain error handling.
NAM Access Gateway implements OpenSSL and is it vulnerable to this attack?
NAM Access Gateway implements OpenSSL and is it vulnerable to this attack?
Resolution
NAM is not vulnerable to this CVE-2014-3569.
Additional Information
OpenSSL consumed by NAM does not use the no-ssl3 flag.