Novell is now a part of Micro Focus

My Favorites

Close

Please to see your favorites.

Potential Security Vulnerabilities with ZENworks

This document (7016431) is provided subject to the disclaimer at the end of this document.

Environment

Novell ZENworks Configuration Management

Situation

The Zero Day Initiative (ZDI) reported a number of potential vulnerabilities with the Zenworks product.  These vulnerabilities include issues such as SQL Injection, Directory Traversal, Information Disclosure and Session ID disclosure.

The vulnerabilities reported are as follows:
ZDI-CAN-2491: ZENworks Preboot Policy Service Stack Buffer Overflow Remote Code Execution Vulnerability CVE-2015-0786
ZDI-CAN-2575: Novell Zenworks GetStoredResult.class SQL Injection Remote Code Execution Vulnerability CVE-2015-0780
ZDI-CAN-2576: Novell Zenworks schedule.ScheduleQuery SQL Injection Remote Code Execution Vulnerability CVE-2015-0782
ZDI-CAN-2577: Novell Zenworks FileViewer Information Disclosure Vulnerability CVE-2015-0783
ZDI-CAN-2578: Novell Zenworks com.novell.zenworks.inventory.rtr.actionclasses.wcreports Information Disclosure Vulnerability* CVE-2015-0785
ZDI-CAN-2579: Novell Zenworks Rtrlet.class Session ID Disclosure Vulnerability CVE-2015-0784 
ZDI-CAN-2600: Novell Zenworks Rtrlet doPost Directory Traversal Remote Code Execution Vulnerability CVE-2015-0781

Resolution

The following patch has been released in order to address these issues:
https://download.novell.com/Download?buildid=BJbybNUmQRQ~

It includes fixes for the following ZCM versions:
 ZCM 11.2.4 
ZCM 11.2.4 MU1 
ZCM 11.3.0
ZCM 11.3.0 FRU1 
ZCM 11.3.1
ZCM 11.3.1 FRU1
ZCM 11.3.2
ZCM 11.3.2 FRU1

See patch download page for further details.

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7016431
  • Creation Date:16-APR-15
  • Modified Date:23-APR-15
    • NovellZENworks Configuration Management

Did this document solve your problem? Provide Feedback