Access Manager and Java Deserialise Vulnerability

  • 7017019
  • 24-Nov-2015
  • 24-Nov-2015


NetIQ Access Manager 4.1



NAM may be effected under certain unlikely conditions but there's a way to block even this remote threat. NAM does ship th effected library but

Does not use it on AC at all
IDP/AG does not use it to parse network streams – only uses it to read the file (if it exists). If the attacker has local access, they could theoretically take advantage of the vulnerability but a bigger issue exists if they have local access and want to attack the system. You could remove the file completely (or move all attributes from here into the UI) to avoid this. 4.1 has 85% of all attributes available as UI options (outside and 4.2 has everything, so the file is not needed.

The plan is to upgrade the libraries in a future build.