Nessus scan reports in Web Application Potentially Vulnerable to Clickjacking in iManager (CVE-2016-5755)

  • 7017812
  • 04-Jul-2016
  • 29-Aug-2016

Environment

NetIQ Access Manager 4.2
NetIQ Access Manager 4.1
Access Manager Admin Console
CVE-2016-5755

Situation

Access Manager Admin Console ships with iManager. With the default settings (encryption level set to high) it is reported as vulnerable to clickjacking attacks by Web security scanners such as Nessus or Appscan.

Resolution

Apply NAM 4.2.2 patch in NAM 4.2; or apply NAM 4.1.2 Hot Fix 1 on NAM 4.1.

To workaround the issue on older versions, you can do the following:
 
a) Open the web.xml file. The web.xml file is located at the following location:

Linux: /opt/novell/nam/adminconsole/conf
Windows Server 2012: \Program Files (x86)\Novell\Tomcat\conf

b) Add the following tomcat filter configuration below any existing filter configurations:

<filter>
<filter-name>TomcatSameOriginFilter</filter-name>
<filter-class>org.apache.catalina.filters.HttpHeaderSecurityFilter</filter-class>
<init-param>
<param-name>antiClickJackingOption</param-name>
<param-value>SAMEORIGIN</param-value>
</init-param>
</filter>

<filter-mapping>
<filter-name>TomcatSameOriginFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>