Nessus Security testing notification against appliance for Imagemagick package (CVE-2016-3714)

  • 7017647
  • 30-May-2016
  • 31-May-2016

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager Appliance
NetIQ Access Gateway Appliance
CVE-2016-3714

Situation

Running a security PEN test against Access Gateway 4.2 appliance using Nessus. The Nessus PEN test report indicates that the version of Imagemagick (libMagickCore1 package) running on the appliance has vulnerability (CVE-2016-3714). The fix is available in the security update channel for the Access Gateway (or Access Manager) appliance, but it fails to install because of some missing dependencies.

From the upgrade logs, two required RPM’s are missing for the libMagickCore1 to correctly apply: libMagickCore1  requires librsvg, which in turn requires libcroco. Both libcroco and librsvg are missing from the host OS packages, and from the update channel so the update cannot be applied.

Resolution

The Access Gateway or Manager appliance does not use this package. It can be removed or the issue ignored - the Nessus report is simply checking the version of the package, and not whether it is used.

To remove the package, complete the following:

nam:~ # rpm -e yast2-fingerprint-reader-2.17.7-0.1.201.x86_64

nam:~ # rpm -e libfprint0-0.0.6-18.22.136.x86_64

nam:~ # rpm -e libMagickCore1

The NAM team plans to remove this with the next OS build of the Appliance.