Novell Home

My Favorites

Close

Please to see your favorites.

NetIQ Access Manager 3.2 SP1 shipping with older JDK 1.6.0_30

This document (7011405) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Access Manager 3.2 SP1 Administration Console
NetIQ Access Manager 3.2 SP1 Identity Server
NetIQ Access Manager 3.2 SP1 Access Gateway
NetIQ Access Manager 3.2 SP1 SSLVPN
NetIQ Access Manager 3.2 SP1 Java Agents

Situation

Access Manager 3.2 SP1 shipped with a version of the JDK 1.6.0_30. At the time of shipping, Oracle has released JDK 1.6.0_32, which included fixes to a number of vulnerabilities. When running a security scan against all Access Manager components, the security scanner reported that these components were susceptible to the vulnerabilities fixed on the latest JDK. The full list of fixed vulnerabilities is documented at http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html, although the security scan reported the following 8 CVEs that related to Access Manager:

# CVE-2012-1724 OpenJDK: XML parsing infinite loop (JAXP, 7157609)
# CVE-2012-1718 OpenJDK: CRL and certificate extensions handling improvements (Security, 7143872)
# CVE-2012-1720 is also unspecified in networking component which affects both server and client code.
# CVE-2012-1725 OpenJDK: insufficient invokespecial <init> verification (HotSpot, 7160757)
# CVE-2012-1723 OpenJDK: insufficient field accessibility checks (HotSpot, 7152811)


Resolution

None of these issues apply to Access Manager 3.12 SP1. The JAXP CVE involves XML processing, which NAM does heavily, but the Identity and Service Provider Servers use the xerces implementation and not the default implementation shipped with the JRE that is suscepetible to the issue.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7011405
  • Creation Date:21-NOV-12
  • Modified Date:21-NOV-12
    • NetIQAccess Manager (NAM)

Did this document solve your problem? Provide Feedback