Novell is now a part of Micro Focus

My Favorites

Close

Please to see your favorites.

Information leakage with NAM Identity Server and SAML2 Service Provider while using Virtual Attributes (CVE-2017-5190)

This document (7018792) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ Access Manager 4.3
NetIQ Access Manager 4.2
Virtual Attributes enabled on Identity Server
NAM Acting as a SAML 2.0 Identity Server
CVE-2017-5190

Situation

Access Manager used as a SAML Identity Server to generate assertions to remote SAML 2.0 Service Providers. Within this assertion, the NameIdentifier value is being populated with a Virtual Attribute.

At an indeterminate frequency a user accessing the application on the SAML SP is redirected to the NAM Identity server to login. After logging in to the NAM Identity server, the user SSOs to the SP but gets a stale profile.

This issue only manifests itself when using virtual attributes.

Resolution

Apply NAM 4.2 SP3 Hot Fix 1 patch for NAM 4.2 builds, and NAM 4.3 SP1 Hot Fix 1 patch for NAM 4.3 builds.

As a workaround, you can write virtual attribute value to LDAP user store and retrieve this attribute to inject into the assertion.

Cause

Virtual attribute concurrency issue.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7018792
  • Creation Date:11-APR-17
  • Modified Date:13-APR-17
    • NetIQAccess Manager (NAM)

Did this document solve your problem? Provide Feedback