Environment
NetIQ Sentinel 7.3.x and 7.4.x
Situation
Deserialization vulnerability in the usage of "Apache Commons FileUpload" library's DiskFileItem class by Sentinel allows a remote unauthenticated attacker to create files and delete files owned by the "novell" user and group on the Sentinel Server.
Resolution
7.3.x customers should upgrade to Sentinel Server 7.3.4.0 to resolve this vulnerability.7.4.x customers should upgrade to Sentinel Server 7.4.3.0 to resolve this vulnerability.
Bug Number
987356
Additional Information
Credit
Thanks to Jacob Baines of Tenable Network Security working with Trend Micro's Zero Day Initiative for reporting this vulnerability
References
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031http://zerodayinitiative.com/advisories/ZDI-16-570/