Environment
NetIQ Access Manager 4.2
NetIQ Access Manager Appliance
NetIQ Access Gateway Appliance
CVE-2016-3714
NetIQ Access Manager Appliance
NetIQ Access Gateway Appliance
CVE-2016-3714
Situation
Running a security PEN test against Access Gateway 4.2 appliance using Nessus. The Nessus PEN test report indicates that the version of Imagemagick (libMagickCore1 package) running on the appliance has vulnerability (CVE-2016-3714). The fix is available in the security update channel for the Access Gateway (or Access Manager) appliance, but it fails to install because of some missing dependencies.
From the upgrade logs, two required RPM’s are missing for the libMagickCore1 to correctly apply: libMagickCore1 requires librsvg, which in turn requires libcroco. Both libcroco and librsvg are missing from the host OS packages, and from the update channel so the update cannot be applied.
From the upgrade logs, two required RPM’s are missing for the libMagickCore1 to correctly apply: libMagickCore1 requires librsvg, which in turn requires libcroco. Both libcroco and librsvg are missing from the host OS packages, and from the update channel so the update cannot be applied.
Resolution
The Access Gateway or Manager appliance does not use this package. It can be removed or the issue ignored - the Nessus report is simply checking the version of the package, and not whether it is used.
To remove the package, complete the following:
nam:~ # rpm -e yast2-fingerprint-reader-2.17.7-0.1.201.x86_64
nam:~ # rpm -e libfprint0-0.0.6-18.22.136.x86_64
nam:~ # rpm -e libMagickCore1
The NAM team plans to remove this with the next OS build of the Appliance.
To remove the package, complete the following:
nam:~ # rpm -e yast2-fingerprint-reader-2.17.7-0.1.201.x86_64
nam:~ # rpm -e libfprint0-0.0.6-18.22.136.x86_64
nam:~ # rpm -e libMagickCore1
The NAM team plans to remove this with the next OS build of the Appliance.