Is Access Manager vulnerable to issues fixed in tomcat 8.0.39 release

  • 7018326
  • 24-Nov-2016
  • 24-Nov-2016

Environment

NetIQ Access Manager 4.3
NetIQ Access Manager 4.2
CVE-2016-6817
CVE-2016-6816
CVE-2016-8735

Situation

Tomcat 8.0.39 update was recently released with fixed to multiple security vulnerabilities - http://tomcat.apache.org/tomcat-8.0-doc/changelog.html#Tomcat_8.0.39_(violetagg).

Is Access Manager vulnerable to any of these CVEs, especially those rated important like

1. [CVE-2016-6817] Denial of Service affects only versions 8.5.x and 9.x and easily exploitable

2. [CVE-2016-6816] Information Disclosure affects all versions of Tomcat 6.x to 9.x but can be exploited only on HTTP connections
3. [CVE-2016-8735] Remote Code Execution affects all versions of Tomcat 6.x to 9.x but can be exploited only if JmxRemoteLifecyleListener module is used


Resolution

None of the NAM components are effected by this. The only exception is if you have the Identity Server base URL setup using the HTTP scheme. It is strongly recommended that you only use HTTPS scheme for communication into the IDenntity Server as this communication channel includes user credentials.