Admin Console iManager includes .htaccess file which could allow hackers to gain information (CVE-2016-5754)

  • 7017811
  • 04-Jul-2016
  • 29-Aug-2016

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
Access Manager Administration Console
iManager
CVE-2016-5754

Situation

Access Manager installed and working well. For security purposes, a scan of the NAM tomcat environment was run where it was detected that the /var/opt/novell/iManager/nps/.htaccess exists and is not restricted on the NAM admin console server. We do not need configuration of site-access issues, such as URL redirection, URL shortening, Access-security control (for different webpages and files), etc, and therefor do not need this file.

Resolution

Update to NAM 4.2 SP2 or NAM 4.1.2 Hot Fix 1.
 
Whenever user access .htaccess file, it throws the following error:
 
HTTP Status 403 - Access to the requested resource has been denied
 
To workaround the issue on previous versions, simply remove the file. and restart novell-ac service.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.