Potential Security Vulnerabilities with ZENworks

  • 7016431
  • 16-Apr-2015
  • 23-Apr-2015


Novell ZENworks Configuration Management


The Zero Day Initiative (ZDI) reported a number of potential vulnerabilities with the Zenworks product.  These vulnerabilities include issues such as SQL Injection, Directory Traversal, Information Disclosure and Session ID disclosure.

The vulnerabilities reported are as follows:
ZDI-CAN-2491: ZENworks Preboot Policy Service Stack Buffer Overflow Remote Code Execution Vulnerability CVE-2015-0786
ZDI-CAN-2575: Novell Zenworks GetStoredResult.class SQL Injection Remote Code Execution Vulnerability CVE-2015-0780
ZDI-CAN-2576: Novell Zenworks schedule.ScheduleQuery SQL Injection Remote Code Execution Vulnerability CVE-2015-0782
ZDI-CAN-2577: Novell Zenworks FileViewer Information Disclosure Vulnerability CVE-2015-0783
ZDI-CAN-2578: Novell Zenworks com.novell.zenworks.inventory.rtr.actionclasses.wcreports Information Disclosure Vulnerability* CVE-2015-0785
ZDI-CAN-2579: Novell Zenworks Rtrlet.class Session ID Disclosure Vulnerability CVE-2015-0784 
ZDI-CAN-2600: Novell Zenworks Rtrlet doPost Directory Traversal Remote Code Execution Vulnerability CVE-2015-0781


The following patch has been released in order to address these issues:

It includes fixes for the following ZCM versions:
 ZCM 11.2.4 
ZCM 11.2.4 MU1 
ZCM 11.3.0
ZCM 11.3.0 FRU1 
ZCM 11.3.1
ZCM 11.3.1 FRU1
ZCM 11.3.2
ZCM 11.3.2 FRU1

See patch download page for further details.