NetIQ Access Manager Patch Release for OpenSSL Vulnerability

This patch release includes a fix for CVE-2022-0778 vulnerability. This patch is supported for the following versions of the product:

  • Access Manager 4.5 Service Pack 5

  • Access Manager Appliance 4.5 Service Pack 5

  • Access Manager 4.5 Service Pack 4

  • Access Manager Appliance 4.5 Service Pack 4

NOTE:This patch will upgrade OpenSSL package bundled with Access Gateway Components.

1.0 Security Vulnerability Fixes

This release provides a fix for CVE 2022-0778, OpenSSL vulnerability issue.

2.0 Applying the Patch

IMPORTANT:In a cluster setup, ensure that you install the patch on each node of the Access Manager setup.

2.1 Downloading the Patch

Download the patch file from the Software License and Download portal.

For information about how to download the product from this portal, watch the following video:

Table 1 Files Available for Access Manager Patch Release for the OpenSSL Vulnerability:

Filename

Description

AM_OpenSSL_Patch_Linux64.tar.gz

Contains the OpenSSL vulnerability fix for Access Gateway on Linux and Access Manager Appliance.

AM_OpenSSL_Patch_Windows64.zip

Contains the OpenSSL vulnerability fix for Access Gateway on Windows.

2.2 Installing the Patch

IMPORTANT:

  • During installation of the patch, all running services are stopped temporarily. After the patch is installed, all services are restarted.

  • After installing this patch, the version number of Access Manager components is not changed.

Access Manager on Linux and Access Manager Appliance

  1. Extract the patch file by using the tar -xvf AM_OpenSSL_Patch_Linux64.tar.gz command.

  2. Run the rcnovell-apache2 stop command to stop the Apache service.

  3. Go to the location where you have extracted the patch files.

  4. Run the rpm -U novell-nacm-apache-extra-4.2.2-1.0.2zd.x86_64.rpm command in the extracted AM_OpenSSL_Patch_Linux64 folder as a root or root equivalent user.

  5. To validate whether the patch is applied successfully, run the following command and check the OpenSSL versions are novell-nacm-apache-extra-4.2.2-1.0.2zd.x86_64:

    rpm -qa| grep novell-nacm-apache-extra

  6. Run the rcnovell-apache2 start command to start the Apache service.

Access Manager on Windows

  1. Unzip the AM_OpenSSL_Patch_Windows64.zip file.

    The extracted folder AM_OpenSSL_Patch_Windows64 contains the Openssl_update.bat file.

  2. Go to Windows services, search for Apache 2.4 service, and stop the Apache service.

  3. Go to the location where you have extracted the patch files.

  4. Run Openssl_update.bat as an administrator or start a command prompt as an administrator and run the batch file. You must run the batch file inside the extracted AM_OpenSSL_Patch_Windows64 folder.

  5. To validate whether the patch is applied successfully, go to Windows services and search for Apache 2.4 service. The version must be OpenSSL/1.0.2zd-fips.

  6. Go to Windows services, search for Apache 2.4 service, and start the Apache service.

3.0 Contacting Micro Focus

For specific product issues, contact Micro Focus Support at https://www.microfocus.com/support-and-services/.

Additional technical information or advice is available from several sources:

4.0 Legal Notice

For information about legal notices, trademarks, disclaimers, warranties, export and other use restrictions, U.S. Government rights, patent policy, and FIPS compliance, see https://www.microfocus.com/about/legal/.

© Copyright 2022 Micro Focus or one of its affiliates.