30 August 2009
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2009.1065 Security vulnerability corrected in Novell Identity Manager and Provisioning Module for Identity Manager 31 August 2009 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Novell Identity Manager Provisioning Module for Identity Manager Operating System: Windows SUSE Solaris Impact/Access: Cross-site Scripting -- Remote/Unauthenticated Resolution: Patch/Upgrade Member content until: Wednesday, September 30 2009 OVERVIEW Novell have released updates for Identity Manager and Provisioning Module for Identity Manager correcting a security vulnerability. IMPACT Successful explotation of this vulnerability may result in cross-site scripting: "When directly accessing a Portlet that does not exist, it is possible to post scripts that will be displayed back in the browser as part of the error message" [1,2,3,4] MITIGATION Novell have released the following patches correcting this vulnerability: IDM Roles Based Provisioning Module 360 Field Patch E  IDM User Application 301 Field Patch T  IDM User Application 350 Field Patch AF  IDM User Application 351 Field Patch X  REFERENCES  IDM Roles Based Provisioning Module 360 Field Patch E http://download.novell.com/Download?buildid=k7J0kwOdJ3o~  IDM User Application 301 Field Patch T http://download.novell.com/Download?buildid=2J-PBFu_4JA~  IDM User Application 350 Field Patch AF http://download.novell.com/Download?buildid=x9D8vNdxDUw~  IDM User Application 351 Field Patch X http://download.novell.com/Download?buildid=LmTpDk1LA5Q~ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFKm0urNVH5XJJInbgRAkkvAJ9rh1/JCHKBRSkb0gKY8OsAJmZVfACfUNPt VoWkyh2pMh4SuZxYv/g1m2U= =7NeN -----END PGP SIGNATURE-----