Environment
Novell ZENworks 7.5 Asset Management - ZAM7.5
Situation
A vulnerability has been reported which allows remote attackers to execute arbitrary code on vulnerable installations of Novell ZAM7.5
A carefully crafted parameter can result in direct SQL access to the underlying SQL Server database which can be further leveraged by an attacker to potentially execute arbitrary code.
Resolution
Fixed in ZENworks Asset Management 7.5 Interim Release IR19 or newer
Interim Releases can be scheduled to run automatically or can be downloaded manually at https://download.novell.com. The Interim releases can be set up within the ZAM Manager for the Task server to check the site on a scheduled basis, and download and apply them automatically. Please refer to the Help Section details of how to set up automatic downloads if desired.
Each interim release is cumulative. If Interim Release IR19 is not available due to a newer interim release being placed on the website, be assured that the code needed is in the later release.
Status
Security AlertAdditional Information
Information reported by Tippingpoint ZDI-CAN-457
This vulnerability was discovered by: Anonymous