Environment
NetIQ Access Manager
NetIQ Access Gateway Appliance 3.2
NetIQ Access Gateway Appliance 3.2 Support Pack 3
NetIQ Access Gateway Appliance 4.0
NetIQ Access Gateway Appliance 4.0 Support Pack 1
NetIQ Access Gateway Appliance 4.0 Support Pack 1 Hotfix 3
Situation
- This problem nicknamed "GHOST" affects the NetIQ Access Gateway Appliance 3.2 and 4.0 which have not been patched using the update channel after the 29th of January 2015.
- Note: Any operating system related security updates and patches are delivered by the configured update channels using the "zypper" tool. If you followed the instrcutions on "Installing or Updating Security Patches
for the Access Gateway Appliance" in the Access Manager Installation
or Migration and Update Guide documentation.You can review the current configured update channels running: "zypper lr"
For the Access Gateway Appliance:
Version 3.2 this looks like:
# | Alias | Name | Enabled | Refresh
--+---------------------------------------+---------------------------------------+---------+--------
1 | NetIQAccessGatewayAppliance-3.2.0-327 | NetIQAccessGatewayAppliance-3.2.0-327 | Yes | Yes
2 | nu_novell_com:NAM32-APP-Updates | NAM32-APP-Updates | Yes | Yes
Version 4.0 this looks like:
# | Alias | Name | Enabled | Refresh
--+--------------------------------------+--------------------------------------+---------+--------
1 | NetIQAccessGatewayAppliance-4.0.1-88 | NetIQAccessGatewayAppliance-4.0.1-88 | Yes | No
2 | nu_novell_com:NAM40-APP-Updates | NAM40-APP-Updates | Yes | Yes - The current glibc version on the NetIQ Access Gateway Appliance for systems which have not been patched after the above mentioned date the are:
- 4.0.1 is: "glibc-2.11.3-17.72.14"
- 3.2.3 is: "glibc-2.11.1-0.38.1"
Resolution
- the required patches have been added to the update channel at the 29th of January 2015
- NAM appliance channel has been refreshed for 4.0 and 3.2.3 line with below updates:
x86_64/glibc-2.11.3-17.74.13.x86_64.rpm
x86_64/glibc-32bit-2.11.3-17.74.13.x86_64.rpm
x86_64/glibc-devel-2.11.3-17.74.13.x86_64.rpm
x86_64/glibc-devel-32bit-2.11.3-17.74.13.x86_64.rpm
x86_64/glibc-html-2.11.3-17.74.13.x86_64.rpm
x86_64/glibc-i18ndata-2.11.3-17.74.13.x86_64.rpm
x86_64/glibc-info-2.11.3-17.74.13.x86_64.rpm
x86_64/glibc-locale-2.11.3-17.74.13.x86_64.rpm
x86_64/glibc-locale-32bit-2.11.3-17.74.13.x86_64.rpm
x86_64/glibc-profile-2.11.3-17.74.13.x86_64.rpm
x86_64/glibc-profile-32bit-2.11.3-17.74.13.x86_64.rpm
x86_64/iptables-1.4.6-2.13.3.2.x86_64.rpm
x86_64/metacity-2.28.1-0.20.1.x86_64.rpm
x86_64/metacity-lang-2.28.1-0.20.1.x86_64.rpm
x86_64/nscd-2.11.3-17.74.13.x86_64.rpm
x86_64/perl-Net-DNS-0.63-43.10.1.x86_64.rpm
x86_64/ruby-1.8.7.p357-0.9.17.1.x86_64.rpm
x86_64/ruby-doc-html-1.8.7.p357-0.9.17.1.x86_64.rpm
x86_64/ruby-tk-1.8.7.p357-0.9.17.1.x86_64.rpm
x86_64/unzip-6.00-11.9.1.x86_64.rpm
x86_64/vsftpd-2.0.7-4.27.1.x86_64.rpm
Additional Information
- For the Access Gateway Service any OS related patches are provided by the OS vendor.
- For Suse Linux Enterprise Server use the following link to review this issue and what needs to be done: http:///support.novell.com/security/cve/CVE-2015-0235.html
- Note: changing any IP addresses for the Access Gateway Appliance after all OS patches have been applied using the update channel might end up loosing the loopback interface at: "/etc/sysconfig/network". Please review TID: 7016115 NetIQ Access Gateway Appliance 4.0 lost the loopback interface after applying security patches