Australia's Leading Computer Emergency Response Team

ASB-2013.0031 - [Win] Novell Identity Manager: Multiple vulnerabilities
Date: 26 February 2013
Original URL: http://www.auscert.org.au/render.html?cid=10415&it=17086

Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0031
A number of vulnerabilities have been identified in Novell Identity Manager
                             26 February 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Novell Identity Manager
Operating System:     Windows
Impact/Access:        Cross-site Scripting -- Remote with User Interaction
                      Unauthorised Access  -- Remote/Unauthenticated      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-1078 CVE-2012-0438 CVE-2012-0437
                      CVE-2012-0436 CVE-2012-0431 
Member content until: Thursday, March 28 2013

OVERVIEW

        A number of vulnerabilities have been identified in Novell Identity
        Manager prior to version 4.0.2 Field Patch B. [1]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        "There can be the ability to reset a password without successfully 
        answering the Challenge Response Qusetions in Forgot Password
        Bug 785177 - Field Patch (402): Security: Have the ability to reset
        password without answering challenge response question in Forgot 
        Password
        CVE-2012-0431
        
        Potential XSS vulnerability in UIQuery's dnlookup2
        Bug 797547 - Field Patch (402): Potential XSS vulnerability in 
        UIQuery's dnlookup2
        CVE-2012-0436
        
        Potential XSS vulnerability in taskDetail
        Bug 797562 - Field Patch (402): Potential XSS vulnerability in 
        taskDetail
        CVE-2012-0437
        
        Potential XSS vulnerability in workflow comments
        Bug 797614 - Field Patch (402): Potential XSS vulnerability in 
        workflow comments
        CVE-2012-0438
        
        Potential XSS vulnerability in workflow reassign
        Bug 798551 - Field Patch (402): Potential XSS vulnerability in 
        workflow reassign
        CVE-2013-1078" [1]


MITIGATION

        The vendor recommends updating to the latest field patch to
        correct these issues. [1]


REFERENCES

        [1] IDM Roles Based Provisioning Module 402 Field Patch B
            http://download.novell.com/Download?buildid=K8qfUKBOCVQ~

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUSwyVe4yVqjM2NGpAQLIUw/9EMOldclL0bzqX8bnDeWiScQPHJI+91wS
8ELjF21s/VbfLhpyLJ2XnN2H7qqVHQv2xECs0Rl3RfPcMMBJ+4u4c+uWmn6C6cjP
TuAFrqqRF0SspcsVkmK2O+VlUu+7IJrmno3L8s7dcYoUhG6182aKXwVLG0nP1lBo
YDHbLA9cyT4C1w4bWZzSb97Wimvq3eOiAeerJa3NTuwk7K+UMy9IGsRrapD6Hbxj
piZUcEGbRz480BazVGrz1wTh8pS7oqN2kznwmLNkAHlbM8adRRqOt7f7T1sNQiJo
q3pl/YgE8mW80VWwipTL33fVOkZULAtZVK+CzNZqpCfZCms1My4dN0bGnZIXH6IL
3iNDvS8eLdLWZAEW3rPA5VEbU3FGyE0mfGm6cKg60RNrsdVOMXCTrWbFSE3DHtZ3
bZP9yVXKaFDcQBhx9qX0BXIAd4Wc7s9ahsMVJprP9wxsrzBUQlijFKRp04+13vB4
Dj6XVDzln5eHtvwsUgkyg44e4SfsgDVZqsrlX8KJdVWAFgUrJkiufwaYGzfgcxsG
mKWBpxMvrSbykZvonzICGNmqqmAA8uIDk+FGlE/7QUXnikWFiS1ktKtTc6YNPz4A
jWZsAmvvgF2lVWhl66PS5ntrVkX4bWGXWJ9Nn9ZsU9vMMZjlBxJM8nk4Z5CamcZr
9yLuvqDpyzo=
=kzd7
-----END PGP SIGNATURE-----