Access Manager and OpenSSL CVE-2015-1793

  • 7016693
  • 17-Jul-2015
  • 22-Jul-2015

Environment

NetIQ Access Manager 4.0
NetIQ Access Manager 4.1
NetIQ Access Manager Appliance
NetIQ Access Gateway Service on Linux
NetIQ Access Gateway Appliance

Situation

OpenSSL has released the fix for CVE-2015-1793. The patch is considered a high severity patch. The details following, as published by the OpenSSL team.

"During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails.

An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate."

Access Manager 4.1 ships with the OpenSSL version that is impacted, and is therefor vulnerable.

Resolution

Apply the OpenSSL update from the SLES security update channel. This will address the issue for both the Access Manager and Access Gateway Appliances.

For those administrators running the Access Gateway Service (AGS) on Linux (RHEL and SLES), the following procedure will need to be followed:

a) create the following script file on the AGS eg. openssl-update.sh

#!/bin/bash#!/bin/bash
USER_NAME=$1
PASSWORD=$2
RPM_NAME=$3
if [ -z $USER_NAME -o -z $PASSWORD -o -z RPM_NAME]
then
    echo "Empty user name or password or rpm name , usage is ./upgradeOpenSSL.sh username password rpmname "
    exit 0;
fi
export INST_LOG_DIR="/tmp/novell_access_manager"
export OPENSSL_UPGRADE_LOG="${INST_LOG_DIR}/upgrade_openssl_`date +"%F_%T"`.log"
if [ ! -d /opt/novell/nam/mag ]
then
    echo "The rpm $RPM_NAME is not applicable on this system."
    exit 0;
fi
if rpm -q $RPM_NAME > /dev/null
then
    echo "The rpm $RPM_NAME is already installed, nothing to upgrade."
    exit 0;
fi
echo "Downloading the rpm $RPM_NAME ......"
wget -q --no-check-certificate --http-user=$USER_NAME --http-password=$PASSWORD 'https://nu.novell.com/repo/$RCE/NAM40-APP-Updates/sle-11-x86_64/rpm/x86_64/'$RPM_NAME.x86_64.rpm > $OPENSSL_UPGRADE_LOG 2>&1

if [ ! -L "/usr/bin/sh" ]
then
    ln -s /bin/bash /usr/bin/sh
fi   
rpm -Uvh $RPM_NAME.x86_64.rpm >> $OPENSSL_UPGRADE_LOG 2>&1
if [ "$?" == 0 ]
then
    echo "Upgraded $RPM_NAME."
else
    echo "Upgrade of $RPM_NAME failed."
fi
rm -rf $RPM_NAME*

b) run 'bash openssl-update.sh username password novell-nacm-apache-extra-4.0.4-1.0.1p'

where username and password are the credentials you have for the Novell Customer Care Portal that an administrator gets patches from.

Additional Information

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793 includes links to the CVE

Feedback service temporarily unavailable. For content questions or problems, please contact Support.