Access Manager and Java Deserialise Vulnerability

  • 7017019
  • 24-Nov-2015
  • 24-Nov-2015

Environment

NetIQ Access Manager 4.1

Situation

Resolution

NAM may be effected under certain unlikely conditions but there's a way to block even this remote threat. NAM does ship th effected library but

a)     
Does not use it on AC at all
b)     
IDP/AG does not use it to parse network streams – only uses it to read the nidpconfig.properties file (if it exists). If the attacker has local access, they could theoretically take advantage of the vulnerability but a bigger issue exists if they have local access and want to attack the system. You could remove the nidpconfig.properties file completely (or move all attributes from here into the UI) to avoid this. 4.1 has 85% of all attributes available as UI options (outside nidpconfig.properties) and 4.2 has everything, so the file is not needed.

The plan is to upgrade the libraries in a future build.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.