Security Vulnerability: Novell Identity Manager engine installation leaves admin tree credentials in a file.

  • 7006705
  • 23-Aug-2010
  • 11-Jun-2013

Environment

Novell Identity Manager 3.6.1

Situation

When installing Novell Identity Manager (IDM) the installer prompts for credentials to the tree where IDM is being installed.  This is done so that schema can be extended for the IDM product within eDirectory.  A log file for the installation is written to /tmp/idmInstall.log which contains the steps taken during the installation and in some cases contains the credentials as entered by the administrator.

Resolution

The log file is not needed by IDM or any other product after the installation is complete and is used for troubleshooting failures during the install.  It should be removed once the installation is completed.  The file is, by default, at the following location:

/tmp/idmInstall.log

This location may change based on the system environment variables but should be in the defined temporary directory in any case.

This is currently resolved in IDM 4.01.  If there is another patch for IDM 3.6, this will also be included there.  There is no guarentee that there will be another 3.6 patch released at this time.  The suggestion is to upgrade to IDM 4.01

Status

Security Alert