Potential Security Vulnerabilities with ZENworks

  • 7016431
  • 16-Apr-2015
  • 23-Apr-2015

Environment

Novell ZENworks Configuration Management

Situation

The Zero Day Initiative (ZDI) reported a number of potential vulnerabilities with the Zenworks product.  These vulnerabilities include issues such as SQL Injection, Directory Traversal, Information Disclosure and Session ID disclosure.

The vulnerabilities reported are as follows:
ZDI-CAN-2491: ZENworks Preboot Policy Service Stack Buffer Overflow Remote Code Execution Vulnerability CVE-2015-0786
ZDI-CAN-2575: Novell Zenworks GetStoredResult.class SQL Injection Remote Code Execution Vulnerability CVE-2015-0780
ZDI-CAN-2576: Novell Zenworks schedule.ScheduleQuery SQL Injection Remote Code Execution Vulnerability CVE-2015-0782
ZDI-CAN-2577: Novell Zenworks FileViewer Information Disclosure Vulnerability CVE-2015-0783
ZDI-CAN-2578: Novell Zenworks com.novell.zenworks.inventory.rtr.actionclasses.wcreports Information Disclosure Vulnerability* CVE-2015-0785
ZDI-CAN-2579: Novell Zenworks Rtrlet.class Session ID Disclosure Vulnerability CVE-2015-0784 
ZDI-CAN-2600: Novell Zenworks Rtrlet doPost Directory Traversal Remote Code Execution Vulnerability CVE-2015-0781

Resolution

The following patch has been released in order to address these issues:
https://download.novell.com/Download?buildid=BJbybNUmQRQ~

It includes fixes for the following ZCM versions:
 ZCM 11.2.4 
ZCM 11.2.4 MU1 
ZCM 11.3.0
ZCM 11.3.0 FRU1 
ZCM 11.3.1
ZCM 11.3.1 FRU1
ZCM 11.3.2
ZCM 11.3.2 FRU1

See patch download page for further details.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.