Access Governance Suite Security Vulnerability

Our engineering team very recently identified a potentially critical security vulnerability in our Access Governance Suite product (AGS), that affects all current versions. This vulnerability could allow a logged-in authenticated user to gain privileges beyond their assigned capabilities, including gaining system administrator access.  A fix for this vulnerability is available now, and we recommend that all customers apply the e-fix as soon as possible.

Although this vulnerability provides an opportunity for an authenticated user to modify rights and elevate privileges, it would require in-depth knowledge of the AGS application architecture by a very sophisticated user of our software in order to exploit it.  Most importantly, Micro Focus knows of no instance where this vulnerability has actually been exploited in any Micro Focus customer implementation.

The remediation e-fix is a configuration change only, but it does require a restart of the all application server instances in the AGS installation. We recommend that you apply this e-fix as soon as possible. We have tested it aggressively in all of our supported deployment environments and have not observed any impact on performance or functionality.

The e-fix is available for download as AGS-SV-eFix022416.zip in the https://download.novell.com/patch/finder/?ref=h

For more detailed information on the behavior please see CVE-2016-1597