Environment
NetIQ Access Manager 4.0
NetIQ Access Manager 4.1
NetIQ Access Manager 4.1
Situation
Is Access Manager vulnerable to the logjam CVE reported at https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-4000
Resolution
The above vulnerability applies to versions of openssl 1.0.1m or older. The Access Manager security update channel has this fixed with openssl 1.0.1o. Always make sure that the security update channel is configured and downloading the latest security patches. This
will address the issue for both the Access Manager and Access Gateway
Appliances.
For those administrators running the Access Gateway Service (AGS) on Linux (RHEL and SLES), the following procedure will need to be followed:
a) create the following script file on the AGS eg. openssl-update.sh
#!/bin/bash#!/bin/bash
USER_NAME=$1
PASSWORD=$2
RPM_NAME=$3
if [ -z $USER_NAME -o -z $PASSWORD -o -z RPM_NAME]
then
echo "Empty user name or password or rpm name , usage is ./upgradeOpenSSL.sh username password rpmname "
exit 0;
fi
export INST_LOG_DIR="/tmp/novell_access_manager"
export OPENSSL_UPGRADE_LOG="${INST_LOG_DIR}/upgrade_openssl_`date +"%F_%T"`.log"
if [ ! -d /opt/novell/nam/mag ]
then
echo "The rpm $RPM_NAME is not applicable on this system."
exit 0;
fi
if rpm -q $RPM_NAME > /dev/null
then
echo "The rpm $RPM_NAME is already installed, nothing to upgrade."
exit 0;
fi
echo "Downloading the rpm $RPM_NAME ......"
wget -q --no-check-certificate --http-user=$USER_NAME --http-password=$PASSWORD 'https://nu.novell.com/repo/$RCE/NAM40-APP-Updates/sle-11-x86_64/rpm/x86_64/'$RPM_NAME.x86_64.rpm > $OPENSSL_UPGRADE_LOG 2>&1
if [ ! -L "/usr/bin/sh" ]
then
ln -s /bin/bash /usr/bin/sh
fi
rpm -Uvh $RPM_NAME.x86_64.rpm >> $OPENSSL_UPGRADE_LOG 2>&1
if [ "$?" == 0 ]
then
echo "Upgraded $RPM_NAME."
else
echo "Upgrade of $RPM_NAME failed."
fi
rm -rf $RPM_NAME*
b) run 'bash openssl-update.sh username password novell-nacm-apache-extra-4.0.4-1.0.1p'
where username and password are the credentials you have for the Novell Customer Care Portal that an administrator gets patches from.
For those administrators running the Access Gateway Service (AGS) on Linux (RHEL and SLES), the following procedure will need to be followed:
a) create the following script file on the AGS eg. openssl-update.sh
#!/bin/bash#!/bin/bash
USER_NAME=$1
PASSWORD=$2
RPM_NAME=$3
if [ -z $USER_NAME -o -z $PASSWORD -o -z RPM_NAME]
then
echo "Empty user name or password or rpm name , usage is ./upgradeOpenSSL.sh username password rpmname "
exit 0;
fi
export INST_LOG_DIR="/tmp/novell_access_manager"
export OPENSSL_UPGRADE_LOG="${INST_LOG_DIR}/upgrade_openssl_`date +"%F_%T"`.log"
if [ ! -d /opt/novell/nam/mag ]
then
echo "The rpm $RPM_NAME is not applicable on this system."
exit 0;
fi
if rpm -q $RPM_NAME > /dev/null
then
echo "The rpm $RPM_NAME is already installed, nothing to upgrade."
exit 0;
fi
echo "Downloading the rpm $RPM_NAME ......"
wget -q --no-check-certificate --http-user=$USER_NAME --http-password=$PASSWORD 'https://nu.novell.com/repo/$RCE/NAM40-APP-Updates/sle-11-x86_64/rpm/x86_64/'$RPM_NAME.x86_64.rpm > $OPENSSL_UPGRADE_LOG 2>&1
if [ ! -L "/usr/bin/sh" ]
then
ln -s /bin/bash /usr/bin/sh
fi
rpm -Uvh $RPM_NAME.x86_64.rpm >> $OPENSSL_UPGRADE_LOG 2>&1
if [ "$?" == 0 ]
then
echo "Upgraded $RPM_NAME."
else
echo "Upgrade of $RPM_NAME failed."
fi
rm -rf $RPM_NAME*
b) run 'bash openssl-update.sh username password novell-nacm-apache-extra-4.0.4-1.0.1p'
where username and password are the credentials you have for the Novell Customer Care Portal that an administrator gets patches from.