Is NAM susceptible to tomcat CVEs reported against tomcat 7.0-56 in NAM 4.x

  • 7017401
  • 23-Mar-2016
  • 23-Mar-2016

Environment


NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
NetIQ Access Manager 4.0

Situation

NAM 4.0.2, 4.1.1 and 4.2.1 all ship with tomcat 7.0-56. This version of tomcat reports a number of vulnerabilities (shown below) - are the NAM versions susceptible to these vulnerabilities?

Tomcat 7 Vulnerability patches:

CVE-2015-5174

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5174

 

CVE-2015-5345

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5345

 

CVE-2015-5346

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5346

 

CVE-2015-5351

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5351

 

CVE-2016-0706

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0706

 

CVE-2016-0714

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0714

 

CVE-2016-0763

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0763


Resolution

NAM is not vulnerable to these CVEs.

The only NAM component using tomcat 7 is the AC (because iManager needs tomcat 7). The AC on Linux can run under it’s own tomcat, and if you have DMZ with AC and IDP on same host on Linux, you can restrict access to AC very easily. On Windows, with AC and IDP on same host, we use the same instance of tomcat.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.