OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ed Reed (ereed_at_novell.com)
Date: Mon Aug 12 2002 - 15:32:20 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    For Immediate Disclosure

    ============================== Summary ==============================

     Security Alert: NOVL-2002-2963081
              Title: Novell iManager (eMFrame 1.2.1) DoS Attack
               Date: 12 Aug 2002
           Revision: 1
       Product Name: Novell iManager
     OS/Platform(s): Netware
      Reference URL: http://support.novell.com/servlet/tidfinder/2963081
        Vendor Name: Novell, Inc.
         Vendor URL: http://www.novell.com
    Security Alerts: http://support.novell.com/security-alerts
            Affects: eMFrame.jar, FwResources.properties files with
                     modification dates previous to 16 July 2002
        Identifiers: Novell TID 2963081, BugTraq:279683
            Credits: Surreal: Cluestick Advisory #001

    ============================ Description ============================

    This patch prevents eMFrame from shutting down prematurely caused by
    the input of a userid longer than 256 characters while authenticating
    into iManager.

    This patch must be applied on an existing eMFrame v 1.2.1
    installation.

    ============================== Impact ===============================

    The maximum length for the attribute DN in eDirectory 8.6 and above
    is 256 characters. While authenticating into eMFrame, if a DN with
    more than 256 characters are passed in by the user, eMFrame will
    terminate.

    With the above fixes, when DN is greater than 256 characters, a
    Denial of Service error is generated an eMFrame does not shut down.

    ======================== Recommended Actions ========================

    To verify whether or not this patch needs to be applied, perform the
    following:

    NOTE: The steps below refer to a "webapps" directory which is a
    relative directory. By default, when TomCat is installed on Netware,
    the "webapps" directory is located directly underneath the volume
    SYS: (i.e. SYS:\webapps\eMFrame\WEB-INF\lib\). However, webapps could
    be located elsewhere, depending on the choices made by the
    administration on initial installation. With Microsoft Windows
    NT/Windows 2000, you can go to a command prompt and type "set". This
    should display a path statement. In the path statement, there should
    be a directory "TomCat". The "webapps" directory should be located
    underneath the "TomCat" directory.

    1. Go to the following file:
    ..\webapps\eMFrame\WEB-INF\lib\eMFrame.jar

    2. Check the modified date on the file. If it is previous to July
    16th, 2002, this patch must be applied.

    3. Go to the following file:
    ..\webapps\eMFrame\WEB-INF\classes\templates\FwResources.properties

    4. Check the modified date on the file. If it is previsous to July
    16th, 2002, this patch must be applied.
    If the above files are older, apply this patch by copying the
    eMFrame.jar and FwResources.properties from this file to the server
    running eMFrame.

    Perform the following tasks:

    1. Go to the following directory:
    ..\webapps\eMFrame\WEB-INF\lib\

    2. Copy the eMFrame.jar file located in this patch to the above
    directory listed in step 1.

    3. Go to the following directory:
    ..\webapps\eMFrame\WEB-INF\classes\templates

    4. Copy the FwResources.properties file located in this patch to the
    above directory listed in step 3.

    ============================ DISCLAIMER =============================

    The content of this document is believed to be accurate at the time
    of publishing based on currently available information. However, the
    information is provided "AS IS" without any warranty or
    representation. Your use of the document constitutes acceptance of
    this disclaimer. Novell disclaims all warranties, express or implied,
    regarding this document, including the warranties of merchantability
    and fitness for a particular purpose. Novell is not liable for any
    direct, indirect, or consequential loss or damage arising from use
    of, or reliance on, this document or any security alert, even if
    Novell has been advised of the possibility of such damages and even
    if such damages are foreseeable.

    ============================ Appendices =============================

    None

    ================ Contacting Novell Security Alerts ==================

    To report suspected security vulnerabilities in Novell products, send
    email to
                securenovell.com

    PGP users may send signed/encrypted information to us using our PGP
    key, available from the pgpkeys.mit.edu server, or our website at:

                http://support.novell.com/security-alerts

    Security Alerts, Novell, Inc. PGP Key Fingerprint:

    F5AE 9265 0A34 F84E 580E 9B87 3AC1 1974 DE05 0FDB

    ========================= Revision History ==========================
           Original: 7 Aug 2002 - TID Publication
               This: 12 Aug 2002 - Security Alert published

    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Security 7.0.3

    iQA/AwUBPVgW8DrBGXTeBQ/bEQIs4gCfZUnCjM5YnfsmDtK6sHEYImHagRkAn06X
    l4frxLtZ7Z07JxXdm1yw4+Ao
    =iXnB
    -----END PGP SIGNATURE-----