Environment
NetIQ Access Manager 4.0
NetIQ Access Manager 4.1
NetIQ Access Manager Appliance
NetIQ Access Gateway Service on Linux
NetIQ Access Gateway Appliance
NetIQ Access Manager 4.1
NetIQ Access Manager Appliance
NetIQ Access Gateway Service on Linux
NetIQ Access Gateway Appliance
Situation
OpenSSL has released the fix for CVE-2015-1793. The patch is considered a high severity patch. The details following, as published by the OpenSSL team.
Access Manager 4.1 ships with the OpenSSL version that is impacted, and is therefor vulnerable.
"During certificate verification, OpenSSL (starting from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails.
An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate."Access Manager 4.1 ships with the OpenSSL version that is impacted, and is therefor vulnerable.
Resolution
Apply the OpenSSL update from the SLES security update channel. This will address the issue for both the Access Manager and Access Gateway Appliances.
For those administrators running the Access Gateway Service (AGS) on Linux (RHEL and SLES), the following procedure will need to be followed:
a) create the following script file on the AGS eg. openssl-update.sh
#!/bin/bash#!/bin/bash
USER_NAME=$1
PASSWORD=$2
RPM_NAME=$3
if [ -z $USER_NAME -o -z $PASSWORD -o -z RPM_NAME]
then
echo "Empty user name or password or rpm name , usage is ./upgradeOpenSSL.sh username password rpmname "
exit 0;
fi
export INST_LOG_DIR="/tmp/novell_access_manager"
export OPENSSL_UPGRADE_LOG="${INST_LOG_DIR}/upgrade_openssl_`date +"%F_%T"`.log"
if [ ! -d /opt/novell/nam/mag ]
then
echo "The rpm $RPM_NAME is not applicable on this system."
exit 0;
fi
if rpm -q $RPM_NAME > /dev/null
then
echo "The rpm $RPM_NAME is already installed, nothing to upgrade."
exit 0;
fi
echo "Downloading the rpm $RPM_NAME ......"
wget -q --no-check-certificate --http-user=$USER_NAME --http-password=$PASSWORD 'https://nu.novell.com/repo/$RCE/NAM40-APP-Updates/sle-11-x86_64/rpm/x86_64/'$RPM_NAME.x86_64.rpm > $OPENSSL_UPGRADE_LOG 2>&1
if [ ! -L "/usr/bin/sh" ]
then
ln -s /bin/bash /usr/bin/sh
fi
rpm -Uvh $RPM_NAME.x86_64.rpm >> $OPENSSL_UPGRADE_LOG 2>&1
if [ "$?" == 0 ]
then
echo "Upgraded $RPM_NAME."
else
echo "Upgrade of $RPM_NAME failed."
fi
rm -rf $RPM_NAME*
b) run 'bash openssl-update.sh username password novell-nacm-apache-extra-4.0.4-1.0.1p'
where username and password are the credentials you have for the Novell Customer Care Portal that an administrator gets patches from.
For those administrators running the Access Gateway Service (AGS) on Linux (RHEL and SLES), the following procedure will need to be followed:
a) create the following script file on the AGS eg. openssl-update.sh
#!/bin/bash#!/bin/bash
USER_NAME=$1
PASSWORD=$2
RPM_NAME=$3
if [ -z $USER_NAME -o -z $PASSWORD -o -z RPM_NAME]
then
echo "Empty user name or password or rpm name , usage is ./upgradeOpenSSL.sh username password rpmname "
exit 0;
fi
export INST_LOG_DIR="/tmp/novell_access_manager"
export OPENSSL_UPGRADE_LOG="${INST_LOG_DIR}/upgrade_openssl_`date +"%F_%T"`.log"
if [ ! -d /opt/novell/nam/mag ]
then
echo "The rpm $RPM_NAME is not applicable on this system."
exit 0;
fi
if rpm -q $RPM_NAME > /dev/null
then
echo "The rpm $RPM_NAME is already installed, nothing to upgrade."
exit 0;
fi
echo "Downloading the rpm $RPM_NAME ......"
wget -q --no-check-certificate --http-user=$USER_NAME --http-password=$PASSWORD 'https://nu.novell.com/repo/$RCE/NAM40-APP-Updates/sle-11-x86_64/rpm/x86_64/'$RPM_NAME.x86_64.rpm > $OPENSSL_UPGRADE_LOG 2>&1
if [ ! -L "/usr/bin/sh" ]
then
ln -s /bin/bash /usr/bin/sh
fi
rpm -Uvh $RPM_NAME.x86_64.rpm >> $OPENSSL_UPGRADE_LOG 2>&1
if [ "$?" == 0 ]
then
echo "Upgraded $RPM_NAME."
else
echo "Upgrade of $RPM_NAME failed."
fi
rm -rf $RPM_NAME*
b) run 'bash openssl-update.sh username password novell-nacm-apache-extra-4.0.4-1.0.1p'
where username and password are the credentials you have for the Novell Customer Care Portal that an administrator gets patches from.
Additional Information
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793 includes links to the CVE