Environment
NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
NetIQ Access Manager 4.0
Situation
NAM 4.0.2, 4.1.1 and 4.2.1 all ship with tomcat 7.0-56. This version of tomcat reports a number of vulnerabilities (shown below) - are the NAM versions susceptible to these vulnerabilities?
Tomcat 7 Vulnerability patches:
CVE-2015-5174
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5174
CVE-2015-5345
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5345
CVE-2015-5346
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5346
CVE-2015-5351
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5351
CVE-2016-0706
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0706
CVE-2016-0714
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0714
CVE-2016-0763
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0763
Resolution
NAM is not vulnerable to these CVEs.
The only NAM component using tomcat 7 is the AC (because iManager needs tomcat 7). The AC on Linux can run under it’s own tomcat, and if you have DMZ with AC and IDP on same host on Linux, you can restrict access to AC very easily. On Windows, with AC and IDP on same host, we use the same instance of tomcat.
The only NAM component using tomcat 7 is the AC (because iManager needs tomcat 7). The AC on Linux can run under it’s own tomcat, and if you have DMZ with AC and IDP on same host on Linux, you can restrict access to AC very easily. On Windows, with AC and IDP on same host, we use the same instance of tomcat.