A vulnerability in Crystal Reports Web Viewer would allow information disclosure and Denial of Servi (NETIQKB40854)

fact
NetIQ Vulnerability Manager 5.0

symptom
A vulnerability in Crystal Reports Web Viewer would allow information disclosure and Denial of Service (DOS) attacks.

fix

There is a vulnerability related to Crystal Reports as communicated by Microsoft in Security Bulletin MS04-017 which may allow an attacker to disclose information or conduct Denial of Service (DOS) attacks on an affected system. The NetIQ Vulnerability Manager GUI relies on a Crystal installer that, in turn, installs the Crystal component that is vulnerable. The vulnerable component is not used by NetIQ Vulnerability Manager. The fix requires either changing the configuration (i.e. removing the component) OR installing the patch referred to by MS04-017. The patch is the preferred method.

For more information on the Microsoft vulnerability and installing the patch referred to in MS04-017, see:

• http://www.microsoft.com/technet/security/bulletin/MS04-017.mspx
  

 Date               Time    Version          Size           File name
   -------------------------------------------------------------------------
   12-May-04    20:56   9.1.9800.9   151552     CrystalDecisions.Web.dll
   13-May-04    19:25   N/A               507392     Crystal_Managed2003.msm

note

A directory traversal vulnerability exists in Crystal Reports and Crystal Enterprise  that could allow information disclosure and Denial of Service attacks on an affected system. An attacker who successfully exploited the vulnerability could retrieve and delete files through the Crystal Reports and Crystal Enterprise Web interface on an affected system.

The vulnerable component is not used by NetIQ Vulnerability Manager.

Formerly known as NETIQKB40854