Resolution
NetIQ Vulnerability Manager 5.0
symptom
A vulnerability in Crystal Reports Web Viewer would allow information disclosure and Denial of Service (DOS) attacks.
fix
There is a vulnerability related to Crystal Reports as communicated by Microsoft in Security Bulletin MS04-017 which may allow an attacker to disclose information or conduct Denial of Service (DOS) attacks on an affected system. The NetIQ Vulnerability Manager GUI relies on a Crystal installer that, in turn, installs the Crystal component that is vulnerable. The vulnerable component is not used by NetIQ Vulnerability Manager. The fix requires either changing the configuration (i.e. removing the component) OR installing the patch referred to by MS04-017. The patch is the preferred method.
For more information on the Microsoft vulnerability and installing the patch referred to in MS04-017, see:
Date Time Version Size File name
-------------------------------------------------------------------------
12-May-04 20:56 9.1.9800.9 151552 CrystalDecisions.Web.dll
13-May-04 19:25 N/A 507392 Crystal_Managed2003.msm
note
A directory traversal vulnerability exists in Crystal Reports and Crystal Enterprise that could allow information disclosure and Denial of Service attacks on an affected system. An attacker who successfully exploited the vulnerability could retrieve and delete files through the Crystal Reports and Crystal Enterprise Web interface on an affected system.
The vulnerable component is not used by NetIQ Vulnerability Manager.