Environment
NetIQ Access Manager 4.3
NetIQ Access Manager 4.2
CVE-2016-6817
CVE-2016-6816
CVE-2016-8735
NetIQ Access Manager 4.2
CVE-2016-6817
CVE-2016-6816
CVE-2016-8735
Situation
Tomcat 8.0.39 update was recently released with fixed to multiple security vulnerabilities - http://tomcat.apache.org/tomcat-8.0-doc/changelog.html#Tomcat_8.0.39_(violetagg).
Is Access Manager vulnerable to any of these CVEs, especially those rated important like
1. [CVE-2016-6817] Denial of Service affects only versions 8.5.x and 9.x and easily exploitable
Is Access Manager vulnerable to any of these CVEs, especially those rated important like
1. [CVE-2016-6817] Denial of Service affects only versions 8.5.x and 9.x and easily exploitable
2. [CVE-2016-6816] Information Disclosure affects all versions of Tomcat 6.x to
9.x but can be exploited only on HTTP connections
3. [CVE-2016-8735] Remote Code Execution affects all versions of Tomcat 6.x to
9.x but can be exploited only if JmxRemoteLifecyleListener module is used
Resolution
None of the NAM components are effected by this. The only exception is if you have the Identity Server base URL setup using the HTTP scheme. It is strongly recommended that you only use HTTPS scheme for communication into the IDenntity Server as this communication channel includes user credentials.