Environment
NetIQ Access Manager 4.1
Situation
Is Access Manager vulnerable to the Java Deserialise
Vulnerability reported at the following locations?
https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread
https://access.redhat.com/solutions/2045023
Resolution
NAM may be effected under certain unlikely conditions but there's a way to block even this remote threat. NAM does ship th effected library but
a) Does not use it on AC at all
b) IDP/AG does not use it to parse network streams – only uses it to read the nidpconfig.properties file (if it exists). If the attacker has local access, they could theoretically take advantage of the vulnerability but a bigger issue exists if they have local access and want to attack the system. You could remove the nidpconfig.properties file completely (or move all attributes from here into the UI) to avoid this. 4.1 has 85% of all attributes available as UI options (outside nidpconfig.properties) and 4.2 has everything, so the file is not needed.
a) Does not use it on AC at all
b) IDP/AG does not use it to parse network streams – only uses it to read the nidpconfig.properties file (if it exists). If the attacker has local access, they could theoretically take advantage of the vulnerability but a bigger issue exists if they have local access and want to attack the system. You could remove the nidpconfig.properties file completely (or move all attributes from here into the UI) to avoid this. 4.1 has 85% of all attributes available as UI options (outside nidpconfig.properties) and 4.2 has everything, so the file is not needed.
The
plan is to upgrade the libraries in a future build.