ZENworks Configuration Management Security Announcement: CVE-2015-0779 Remote code execution via file upload and directory traversal (Tomcat/UploadServlet)

  • 7016419
  • 14-Apr-2015
  • 08-Jun-2015

Environment

Novell ZENworks Configuration Management 11.3
Novell ZENworks Configuration Management 11.2
Novell ZENworks Configuration Management 11.1
Novell ZENworks Configuration Management 11

Situation

Vulnerability: Remote code execution via file upload and directory traversal (exploit in Tomcat/UploadServlet).

Resolution

This is fixed in version 11.3.2 - see KB 7014213 "ZENworks Configuration Management 11.3.2 - update information and list of fixes" which can be found at https://support.microfocus.com/kb/doc.php?id=7015776

For 11.3.1 and 11.3.1 FRU1 contact Novell Technical Support for an official Field Test file (FTF) with fix.

On prior versions, if the entire zenworks_home\tomcat\webapps directory is removed due to vulnerability hack, contact Novell Technical Support for steps to fix.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.