Environment
NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
Access Manager Admin Console
CVE-2016-5755
NetIQ Access Manager 4.1
Access Manager Admin Console
CVE-2016-5755
Situation
Access Manager Admin Console ships with iManager. With the default settings (encryption level set to high) it is reported as vulnerable to clickjacking attacks by Web security scanners such as Nessus or Appscan.
Resolution
Apply NAM 4.2.2 patch in NAM 4.2; or apply NAM 4.1.2 Hot Fix 1 on NAM 4.1.
To workaround the issue on older versions, you can do the following:
To workaround the issue on older versions, you can do the following:
a) Open the web.xml file. The web.xml file is located at the following location:
Linux: /opt/novell/nam/adminconsole/conf
Windows Server 2012: \Program Files (x86)\Novell\Tomcat\conf
b) Add the following tomcat filter configuration below any existing filter configurations:
<filter>
<filter-name>TomcatSameOriginFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>TomcatSameOriginFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
Linux: /opt/novell/nam/adminconsole/conf
Windows Server 2012: \Program Files (x86)\Novell\Tomcat\conf
b) Add the following tomcat filter configuration below any existing filter configurations:
<filter>
<filter-name>TomcatSameOriginFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>TomcatSameOriginFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>