Access Manager 3.2 Service Pack 3 HF1 resolves several previous issues.
For the list of software fixes in the previous release, see Access Manager 3.2 Service Pack 2 IR3 readme.
IMPORTANT: To upgrade to 4.0 SP1 from 3.2 SP3 HF1, perform the following steps:
On the 3.2.3 HF1 server, unzip the 4.0 SP1 executables using tar-xzvf <file name> command. For example, to unzip the Access Gateway file, use tar -xzvf novell-access-gateway-4.0.1-88.tar.gz command.
Replace the upgrade_utility_functions.sh file in the 4.0 SP1 executables folder (extracted_folder/scripts) with the /opt/novell/nam/update/HF1/401UpgradeSupport/scripts/upgrade_utility_functions.sh file.
On the 3.2.3 HF1 server, upgrade the components using the information in Upgrading Access Manager.
This release includes the following platform updates and fixed issues:
In this release, the following dependent components are updated to fix the vulnerability issues:
eDirectory 8.8 SP8 Patch 4
iManager 2.7 SP7 Patch 3
Java 1.7.0.72
This release includes software fixes in the following components:
The following issues are fixed in the Administration Console:
Issue: If the URL in Administration Console contains an unescaped curly bracket ({}) it leads to a policy evaluation failure and the user is denied access.
Fix: This issue is fixed and now unescaped curly brackets are allowed in authorization policy URLs. [Bug 895264]
Issue: When the x509 authentication is configured, all error messages are in English and are not localized.
Fix: With this fix, when x509 authentication is configured all the error messages are localized. [Bug 895003]
Issue: Multiple cross-site vulnerabilities exist in debug.jsp page. The affected URLs are:
https://<host>:8443/roma/jsp/debug/debug.jsp?xss=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
https://<host>/sslvpn/applet_agent.jsp?lang=%22%3E%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
Fix: This issue is resolved by sanitizing .jsp pages in the affected URLs. [Bug 911030][CVE-2014-5214]
Issue: The Auditing page is vulnerable to cross-site scripting attacks. The affected URL is:
https://<host>:8443/roma/system/cntl?handler=dispatcher&command=auditsave&&secureLoggingServersA='){}};alert('xss');function+x(){if('&port=1289
Fix: This the issue is resolved by sanitizing the affected URL. [Bug 911027][CVE-2014-5216]
Issue: An administrator can view internal credential details by using specific .jsp pages. The affected URLs are:
https://<host>:8443/roma/jsp/volsc/monitoring/dev_services.jsp
https://<host>:8443/roma/jsp/debug/debug.jsp
Fix: This issue is resolved by decrypting the credential information in the affected URLs and sensitive information is not displayed to the administrator. [Bug 911029][CVE-2014-5215]
The following issues are fixed in the Identity Server:
Issue: Multiple cross-site scripting vulnerabilities exist in the x509err.jsp page of the following URL:
https://<host>/nidp/jsp/x509err.jsp?error=%3Cscript%3Ealert%28%27xss%27%29%3C/script%3E
Fix: This issue is resolved by sanitizing the x509err.jsp page in the affected URL. [Bug 911028][CVE-2014-5216]
Issue: Cross-site scripting vulnerability affects the WS-Federation authentication process in the following URL:
cbcxt=&popupui=&vv=&username=fumail01%40basf.com&mkt=&lc=&wfresh=&wa=wsignin1.0&wtrealm=urn:federation:MicrosoftOnline&wctx=ernw"><script>alert
Fix: This issue is resolved by replacing the .jsp file in the affected URL. [Bug 911031]
Issue: In the Identity Server, the JCC port 1443 is affected by POODLE vulnerability as it accepts SSLv3 requests. (CVE-2014-3566)
Fix: This release fixes the POODLE vulnerability by disabling SSLv3 requests on the JCC port 1443. [Bug 909952]
The following issue is fixed in the Access Gateway:
Issue: In the Access Gateway, the JCC port 1443 is affected by Poodle vulnerability as it accepts SSLv3 requests. (CVE-2014-3566)
Fix: This release fixes the Poodle vulnerability by disabling SSLv3 requests on the JCC port 1443. [Bug 909952]
IMPORTANT:Ensure that you are currently on Access Manager 3.2 SP3 before upgrading to Access Manager 3.2 SP3 HF1.
To upgrade to Access Manager 3.2 SP3 HF1, perform the below steps:
Go to NetIQ Downloads Page.
Under Patches, click Search Patches.
Specify AM_32_SP3_HF1.zip in the search box and download the file.
Save the file to the server running Access Manager. If you have multiple servers in your set up, ensure that you copy this .zip file to all the servers.
Extract the patch file using the unzip <patch name>.zip command, where <patch filename> is the name of the patch file, for example, AM_32SP3_HF1.
For more information about the upgrade process, see Upgrading Access Manager 3.2 SP3 Using the Patch Process for Linux or Upgrading Access Manager 3.2 SP3 Using the Patch Process for Windows
Run the sh installPatch.sh command. This command installs the patch and the bundled binaries.
To install Access Manager 3.2 Service Pack 3, see the NetIQ Access Manager 3.2 SP3 Installation Guide.
For more information about upgrading or migrating Access Manager 3.2 Service Pack 3, see NetIQ Access Manager 3.2 SP3 Migration and Upgrade Guide.
It is important to verify the version number of existing Access Manager components before you upgrade or migrate to 3.2 Service Pack 3 HF1. This ensures that you have the correct version of files on your system.
In the Administration Console, click > > >
Examine the value of the Version field to see if it displays a version that is eligible for upgrading to 3.2 Service Pack 3 HF1. The version field should list 3.2.3-47.
In the Administration Console, click Access Manager > Auditing > Troubleshooting > Version
Verify that the Version field lists 3.2.3-47 + HF1-66.
NetIQ Corporation strives to ensure our products provide quality solutions for your enterprise software needs. The following issues are currently being researched. If you need further assistance with any issue, please contact Technical Support.
Issue: An attacker can issue a GET request and change the password of an authentication administrator. [CVE-2014-5217]
Workaround: This issue will be fixed in the next release of NetIQ Access Manager. For more information, see TID 7015997
Issue: Cross-Site scripting vulnerability affects the following URLs: [CVE-2014-5216]
https://<host>:8443/nps/servlet/webacc?taskId=dev.Empty&merge=dm.GenericTask&location=/roma/jsp/admin/view/main.jss'%2balert+('xss')%2b'
https://<host>:8443//nps/servlet/webacc?taskId=debug.DumpAll&xss=%3Cimg%20src=%22/404%22%20onerror=%22alert+%28%27xss%27%29%22%3E
Workaround: This issue will be fixed in the next release of NetIQ Access Manager. For more information, see TID 7015994
Issue: Authentication fails when you access a protected resource that uses NTLM authentication. (Bug 867593)
Workaround: None
Issue: The Access Gateway health reports the Audit Logging Server service as green with a message indicating it is operational even though the Audit Server is not running. (Bug 878552)
Workaround: None
Issue: It is possible to run the windows_script.bat script file only on the Administration Console and not on any other Access Manager component. Hence, you cannot apply the new PA certificates to any of the Windows based Identity Server or Access Gateway Service. (Bug 883952)
Workaround: None
Issue: Upgrading the primary/secondary Administration Console throws an ldap_bind : Can't contact LDAP server error. (Bug 887213)
One of the causes of this issue is because the validity of the eDirectory server certificate has expired.
Workaround: SLES and RHEL servers:
From the eDirectory server terminal execute the following commands:
ndsconfig upgrade [This creates new certificates for the server]
nldap -u [This unloads and stops LDAP services]
nldap -l [This command starts and loads the LDAP services]
After executing these commands, the upgrade proceeds without issues.
Windows servers:
Login in to iManager as an administrator.
Select Roles and Tasks > Novell Certificate Server > Repair Default Certificates
Select the server(s) that own the certificates and click Next.
Select Yes All Default Certificates will be overwritten and click Next.
Review the tasks to be performed and select Finish.
Our goal is to provide documentation that meets your needs. If you have suggestions for improvements, please email Documentation-Feedback@netiq.com. We value your input and look forward to hearing from you.
For detailed contact information, see the Support Contact Information Web site.
For general corporate and product information, see the NetIQ Corporate Web site.
You can post feedback in the Access Manager forum on Qmunity, our community Web site that also includes product notifications, blogs, and product user groups.
To download this product, go to Access Manager on the All Products Page.
THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT ARE FURNISHED UNDER AND ARE SUBJECT TO THE TERMS OF A LICENSE AGREEMENT OR A NON-DISCLOSURE AGREEMENT. EXCEPT AS EXPRESSLY SET FORTH IN SUCH LICENSE AGREEMENT OR NON-DISCLOSURE AGREEMENT, NETIQ CORPORATION PROVIDES THIS DOCUMENT AND THE SOFTWARE DESCRIBED IN THIS DOCUMENT "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. SOME STATES DO NOT ALLOW DISCLAIMERS OF EXPRESS OR IMPLIED WARRANTIES IN CERTAIN TRANSACTIONS; THEREFORE, THIS STATEMENT MAY NOT APPLY TO YOU.
For purposes of clarity, any module, adapter or other similar material (“Module”) is licensed under the terms and conditions of the End User License Agreement for the applicable version of the NetIQ product or software to which it relates or interoperates with, and by accessing, copying or using a Module you agree to be bound by such terms. If you do not agree to the terms of the End User License Agreement you are not authorized to use, access or copy a Module and you must destroy all copies of the Module and contact NetIQ for further instructions.
This document and the software described in this document may not be lent, sold, or given away without the prior written permission of NetIQ Corporation, except as otherwise permitted by law. Except as expressly set forth in such license agreement or non-disclosure agreement, no part of this document or the software described in this document may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, or otherwise, without the prior written consent of NetIQ Corporation. Some companies, names, and data in this document are used for illustration purposes and may not represent real companies, individuals, or data.
This document could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein. These changes may be incorporated in new editions of this document. NetIQ Corporation may make improvements in or changes to the software described in this document at any time.
U.S. Government Restricted Rights: If the software and documentation are being acquired by or on behalf of the U.S. Government or by a U.S. Government prime contractor or subcontractor (at any tier), in accordance with 48 C.F.R. 227.7202-4 (for Department of Defense (DOD) acquisitions) and 48 C.F.R. 2.101 and 12.212 (for non-DOD acquisitions), the government's rights in the software and documentation, including its rights to use, modify, reproduce, release, perform, display or disclose the software or documentation, will be subject in all respects to the commercial license rights and restrictions provided in the license agreement.
© 2015 NetIQ Corporation. All Rights Reserved.
For information about NetIQ trademarks, see http://www.netiq.com/company/legal/