CERT-In Vulnerability Note CIVN-2008-197
Novell Netware ApacheAdmin Security Bypass Vulnerability
Original Issue Date:December 26, 2008
Severity Rating:
High
Systems Affected
- Novell Netware 6.5 Support Pack 7
- Novell Netware 6.5 Support Pack 6
- Novell Netware 6.5 Support Pack 5
- Novell Apache 2.0.48
Overview
A vulnerability has been reported in Novell Netware, which can be exploited by malicious people to bypass certain security restrictions.
Description
Open Enterprise Server(OES), a successor to Netware, is a platform for delivery of enterprise-level shared network services (file, print, directory, clustering, backup, storage management, PKI, web applications etc.) and common management tools that can run atop either a Linux or a NetWare kernel platform. OSE2 enables Novell's NetWare users to run NetWare in a paravirtualized environment on top of SUSE Linux Enterprise Server.
The vulnerability is that a password to the ApacheAdmin console is no longer required after installing an OES2 Linux server into a tree running on NetWare 6.5. This can be exploited to access the ApacheAdmin console and can alter the configuration of the Apache webserver.
Solution
Update to Support Pack8.
http://www.novell.com/documentation/oes2/inst_oes_nw/
data/b7212qc.html
Vendor Information
Novell
http://www.novell.com/support/viewContent.do?externalId=7001907
References
Novell
http://www.novell.com/support/viewContent.do?externalId=7001907
Juniper
http://www.juniper.net/security/auto/vulnerabilities/vuln32657.html
Secunia
http://secunia.com/advisories/32989
SecurityFocus
http://www.securityfocus.com/bid/32657
CVE Name
CVE-2008-5696
CWE Name
CWE-255
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
