Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0031 A number of vulnerabilities have been identified in Novell Identity Manager 26 February 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Novell Identity Manager Operating System: Windows Impact/Access: Cross-site Scripting -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-1078 CVE-2012-0438 CVE-2012-0437 CVE-2012-0436 CVE-2012-0431 Member content until: Thursday, March 28 2013 OVERVIEW A number of vulnerabilities have been identified in Novell Identity Manager prior to version 4.0.2 Field Patch B. [1] IMPACT The vendor has provided the following details regarding these vulnerabilities: "There can be the ability to reset a password without successfully answering the Challenge Response Qusetions in Forgot Password Bug 785177 - Field Patch (402): Security: Have the ability to reset password without answering challenge response question in Forgot Password CVE-2012-0431 Potential XSS vulnerability in UIQuery's dnlookup2 Bug 797547 - Field Patch (402): Potential XSS vulnerability in UIQuery's dnlookup2 CVE-2012-0436 Potential XSS vulnerability in taskDetail Bug 797562 - Field Patch (402): Potential XSS vulnerability in taskDetail CVE-2012-0437 Potential XSS vulnerability in workflow comments Bug 797614 - Field Patch (402): Potential XSS vulnerability in workflow comments CVE-2012-0438 Potential XSS vulnerability in workflow reassign Bug 798551 - Field Patch (402): Potential XSS vulnerability in workflow reassign CVE-2013-1078" [1] MITIGATION The vendor recommends updating to the latest field patch to correct these issues. [1] REFERENCES [1] IDM Roles Based Provisioning Module 402 Field Patch B http://download.novell.com/Download?buildid=K8qfUKBOCVQ~ AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUSwyVe4yVqjM2NGpAQLIUw/9EMOldclL0bzqX8bnDeWiScQPHJI+91wS 8ELjF21s/VbfLhpyLJ2XnN2H7qqVHQv2xECs0Rl3RfPcMMBJ+4u4c+uWmn6C6cjP TuAFrqqRF0SspcsVkmK2O+VlUu+7IJrmno3L8s7dcYoUhG6182aKXwVLG0nP1lBo YDHbLA9cyT4C1w4bWZzSb97Wimvq3eOiAeerJa3NTuwk7K+UMy9IGsRrapD6Hbxj piZUcEGbRz480BazVGrz1wTh8pS7oqN2kznwmLNkAHlbM8adRRqOt7f7T1sNQiJo q3pl/YgE8mW80VWwipTL33fVOkZULAtZVK+CzNZqpCfZCms1My4dN0bGnZIXH6IL 3iNDvS8eLdLWZAEW3rPA5VEbU3FGyE0mfGm6cKg60RNrsdVOMXCTrWbFSE3DHtZ3 bZP9yVXKaFDcQBhx9qX0BXIAd4Wc7s9ahsMVJprP9wxsrzBUQlijFKRp04+13vB4 Dj6XVDzln5eHtvwsUgkyg44e4SfsgDVZqsrlX8KJdVWAFgUrJkiufwaYGzfgcxsG mKWBpxMvrSbykZvonzICGNmqqmAA8uIDk+FGlE/7QUXnikWFiS1ktKtTc6YNPz4A jWZsAmvvgF2lVWhl66PS5ntrVkX4bWGXWJ9Nn9ZsU9vMMZjlBxJM8nk4Z5CamcZr 9yLuvqDpyzo= =kzd7 -----END PGP SIGNATURE-----