Is Access Manager effected by CVE-2014-0227

  • 7016198
  • 17-Feb-2015
  • 17-Feb-2015

Environment

NetIQ Access Manager 4.0
NetIQ Access Manager 4.0 Support Pack 1 HF3 applied
NetIQ Access Manager 4.0 Identity Server
NetIQ Access Manager 4.0 Access Gateway
NetIQ Access Manager 4.0 Administration Console

Situation

CVE-2014-0227 reports the possibility of a limited DoS in tomcat's chunked transfer encoding input filter. It was discovered that the ChunkedInputFilter implementation did not fail subsequent attempts to read input after a failure occurred. A remote attacker could use this flaw to perform a denial of service attack by streaming an unlimited quantity of data, leading to excessive consumption of system resources.

The report on the RedHat site claims it is low priority with a severity of low (https://access.redhat.com/security/cve/CVE-2014-0227) although Apache has rated it as important (https://tomcat.apache.org/security-8.html). This issue was identified by the Tomcat security team on 30 May 2014 and made public on 9 February 2015.

Access Manager 4.0.1 HF1 runs a version of tomcat that is effected by this report.

Resolution

Although NAM 4.0.1 is effected by this vulnerability, it is very hard to take advantage of. It can also be mitigated by disabling chunking by forcing http 1.0 (see protocol section under http://tomcat.apache.org/tomcat-7.0-doc/config/http.html at the server side).

The next support pack for NAM 4.0.1, and the next version of Access Manager (4.1) will ship with an updated version of tomcat that addresses this issue.