Environment
Novell ZENworks Configuration Management
Situation
The Zero Day Initiative (ZDI) reported a number of potential vulnerabilities with the Zenworks product. These vulnerabilities include issues such as SQL Injection, Directory Traversal, Information Disclosure and Session ID disclosure.
The vulnerabilities reported are as follows:
ZDI-CAN-2491: ZENworks Preboot Policy Service Stack Buffer Overflow Remote Code Execution Vulnerability CVE-2015-0786
ZDI-CAN-2575: Novell Zenworks GetStoredResult.class SQL Injection Remote Code Execution Vulnerability CVE-2015-0780
ZDI-CAN-2576: Novell Zenworks schedule.ScheduleQuery SQL Injection Remote Code Execution Vulnerability CVE-2015-0782
ZDI-CAN-2577: Novell Zenworks FileViewer Information Disclosure Vulnerability CVE-2015-0783
ZDI-CAN-2578: Novell Zenworks com.novell.zenworks.inventory.rtr.actionclasses.wcreports Information Disclosure Vulnerability* CVE-2015-0785
ZDI-CAN-2579: Novell Zenworks Rtrlet.class Session ID Disclosure Vulnerability CVE-2015-0784
ZDI-CAN-2600: Novell Zenworks Rtrlet doPost Directory Traversal Remote Code Execution Vulnerability CVE-2015-0781
Resolution
The following patch has been released in order to address these issues:
https://download.novell.com/Download?buildid=BJbybNUmQRQ~
It includes fixes for the following ZCM versions:
ZCM 11.2.4
ZCM 11.2.4 MU1
ZCM 11.3.0
ZCM 11.3.0 FRU1
ZCM 11.3.1
ZCM 11.3.1 FRU1
ZCM 11.3.2
ZCM 11.3.2 FRU1
See patch download page for further details.