Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2010.0200.2 A vulnerability has been identified in Novell Identity Manager 9 September 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Novell Identity Manager 3.6.1 Operating System: Windows Server 2008 Red Hat Enterprise Linux Server 5 SUSE Solaris Novell Open Enterprise Server (OES) 2.0 SP1 (64-bit) Impact/Access: Administrator Compromise -- Existing Account Resolution: Mitigation CVE Names: CVE-2010-3264 Member content until: Friday, October 1 2010 Revision History: September 9 2010: Added CVE reference September 1 2010: Initial Release OVERVIEW A vulnerability has been identified in Novell Identity Manager version 3.6.1. IMPACT The vendor has provided the following details regarding this vulnerability: "When installing Novell Identity Manager (IDM) the installer prompts for credentials to the tree where IDM is being installed. This is done so that schema can be extended for the IDM product within eDirectory. A log file for the installation is written to /tmp/idmInstall.log which contains the steps taken during the installation and in some cases contains the credentials as entered by the administrator." [1] MITIGATION The vendor has provided the following advice to mitigate the risk of this vulnerability: "The log file is not needed by IDM or any other product after the installation is complete and is used for troubleshooting failures during the install. It should be removed once the installation is completed. The file is, by default, at the following location: /tmp/idmInstall.log This location may change based on the system environment variables but should be in the defined temporary directory in any case." [1] REFERENCES [1] Security Vulnerability: Novell Identity Manager engine installation leaves admin tree credentials in a file. http://www.novell.com/support/viewContent.do?externalId=7006705 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFMiGTF/iFOrG6YcBERAuDSAJ4jWVxTo2VDnbeJJYXvC4kGBQ9Z/QCdFZPL wVilbBxlU4a+vq3c++aAxbA= =FobH -----END PGP SIGNATURE-----