That’s perhaps unsurprising given that Copilot was trained on source code from GitHub and ingested all the bugs therein. Nonetheless, five boffins affiliated …
Tag: Software bug
Untitled
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.5
August 2021
Tomcat 9.0.50
Azul OpenJDK 1.8.0_292
Issues resolved in iManager 3.2.5
August 2021
Tomcat 9.0.50
Azul OpenJDK 1.8.0_292
– Remote code execution PSV (Bug 321412)
– Local privilege escalation (Bug 321413)
– Missing HTTP strict transport security (HSTS) (Bug 321414)
– Stack trace details exposed (Bug 321415)
– Command injection PSV (Bug 325081)
– Updated Azul JDK to 1.8.0_292 (Bug 329408/377011)
– Updated Tomcat to 9.0.50 (Bug 376034)
– XSS PSV (Bug 1172729)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.4.1
April 2021
OpenSSL 1.0.2y
This version of iManager contains NICI 3.2.0 which has a different FIPS 140-2 validated cryptography library with an active certificate.
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.4
February 2021
Azul OpenJDK 1.8.0_272
Tomcat 9.0.41
OpenSSL 1.0.2x
– Added support for RHEL 8.3 and 7.9
– Installing iManager in the Non-Default Location Fails on Windows (Bug 236787)
– Fails to Display Appropriate Error Message When Login Fails with a Zero Length Password (Bug 299099)
– Non-default location install fails on Windows (Bug 236787)
– Older version of pki plugin was getting installed when IDM and PKI plugin are installed together (Bug 236905)
– JVM crashes frequently due to XSS code (Bug 236983)
– Error: “CertInfo…………..-1 javax.naming.ldap.LdapName cannot be cast creating certificates (Bug 237877)
– Error: InfoFactory………484 For input string: “default” error message removed from catalina.out (Bug 237878)
– Tomcat8 was running as ‘Local System’ on Windows 2012 Server (Bug 237889)
– Error: (UniqueSPIException.java:103) seen in catalina.out (Bug 237945)
– Jquery PSV resolved (Bug 237965)
– Firefox 80.0.1 shows a greyed out [OK] button for plugin installation as well as for Modify Object operations (Bug 280078)
– Crash when a zero length password was used for login (Bug 299099)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.3
September 2020
Tomcat 9.0.37
September 2020
Tomcat 9.0.37
– PSV: Vulnerability in Tomcat 9.0.36 and earlier (259170/1172699) (CVE-2020-13934)
– Files and folders are not accessible through iManager workstation when NCP encryption is set to “enforce” (236401 – 1166763)
– Plugins: SecretStore plugin now available for iManager 3.x (236048 – 1160359)
– Localization fixes (237861 – 1131552)
– Docker: baseOS verion for iManager 323 container is changed into opensuse/leap:15.2 (238232)
– Revert OES fixes: bug 1103017 and bug 1166185 (264024)
– Files and folders are not accessible through iManager workstation when NCP encryption is set to “enforce” (236401 – 1166763)
– Plugins: SecretStore plugin now available for iManager 3.x (236048 – 1160359)
– Localization fixes (237861 – 1131552)
– Docker: baseOS verion for iManager 323 container is changed into opensuse/leap:15.2 (238232)
– Revert OES fixes: bug 1103017 and bug 1166185 (264024)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.2
May 2020
Tomcat 9.0.33
Zulu 8.46.0.19
CORE
– Correct error returned (-255) when enforcement of MFA is enabled (Bug 1163490)
– When adding plugins from local disk the connection is getting reset (Bug 1165890)
– Uploading a user’s jpg causing high util and never completes (Bug 1146727)
– Modifying an attribute using the Other tab causing JAVA high utilization (Bug 1154262)
– High utilization and delays when switching out of the Other tab (Bug 1160009)
– Start.sh script within the iManager container is running with high CPU utilization (Bug 1154422)
TOMCAT
– Potential Security vulnerability, AJP ports disabled (KB 7024475) (CVE-2019-17569) (Bug 1165858/1165323)
– Potential Security vulnerability, possible HTTP request smuggling (CVE-2020-1935) (Bug 1165860)
– Potential Security vulnerability,
OTHER
– After installing the PKI plugin cannot login to iManager: libssl.so.1.0.0-mf not found error (Bug 1164233)
– Documentation updated on which attributes to exclude to optimize auditing (Bug 1114712)
– Potential Security vulnerability fixed in Java (CVE-2020-2604) (Bug 1165863)
– Azul JDK updated to 1.8.0_252 (8u252) (Bug 1170054)
– Windows Install: Tomcat fails to start if instance resides on non-system disk (Bug 1102803)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.1.2
March 2020
Issues resolved in iManager 3.2.1.2
March 2020
– Disable AJP ports by default (CVE-2020-1938) (Bug 1165323)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.1.1
February 2020
OpenSSL 1.0.2t
Tomcat 9.0.30
NICI 3.1.0-2
Zulu 8.42.0.23
– New JDK to resolve a memory leak in crypto provider verification (Zulu-5050)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.1
February 2020
OpenSSL 1.0.2t
Tomcat 9.0.30
NICI 3.1.0-2
Zulu 8.42.0.21
CORE
– Catalina.out file does not rotate on RHEL 7.X (Bug 1110755/1156965/)
TOMCAT
– Nessus reports CVE-2019-17563 (Bug 1161866)
– Do not print stack on an exception (Bug 1150296)
– Transport error setting UP – delete old iMKS trust store file on upgrade (Bug 1135218)
– Selecting EBA plugin in OES 2018 cores Tomcat (Bug 1114919)
OTHER
– Incorrect error thrown in ICE with wrong password (Bug 1156516)
– Collector: vendor field changed back to Novell (Bug 1108930)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2
November 2019
TOMCAT
– XSS vulnerability in Tomcat bootstrap (Bug 1129742) (CVE-2019-8331)
– Tomcat service not restarting when using systemctl (Bug 1149042)
OTHER
– Enhancement: now certified on Red Hat 8 and SLES 15 SP1 (Bug 1149042)
– Selecting group from search results opens modify resource page instead of modify group (Bug 1128071)
– Install: message of installing Visual C++ suppressed during silent installation (Bug 1123849)
– Install: .p12 file’s ownership changed to novlwww for keystore file (Bug 969516)
– Various localization fixes (Bug 1076952/1077058/1077031/1082237/1076943)
– Collector: proper error handling when a user enters LDAP format in username field (Bug 1132253)
– Plugins: security vulnerability – disable stack trace in the response (Bug 1136482)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.4
May 2019
ENGINE
– OpenSSL updated to 1.0.2r (Bug 1128512) (CVE-2019-1559)
OTHER
– Tomcat: updated to version 8.5.40 (Bug 1125593)
– The “Success” message is not seen in several tasks using non-English (Bug 1103317)
– iManager Plugin Studio breaks special characters when using item order list (Bug 1108340)
– Internally found vulnerability in DFS plugin (Bug 1127718)
– Documentation changes to clarify managing Tomcat on init.d and systemd based OS’s (Bug 1132703)
– Dependancies on deprecated utilties removed (Bug 1128860)
– Updated Update AZUL JRE to 1.8.0_212
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.3
March 2019
Azul JRE 1.8.0_202
FRAMEWORK
– Tree view content goes into an infinite loop causing JAVA high CPU utilization (Bug 1105489)
– Unable to search for user with umlaut ö (Bug 1010785)
TOMCAT
– Email template functionality in IDM is now resolved (Bug 1099969)
– Tomcat failing to install on Red Hat 7.6 (Bug 11247191123841)
– Keystore change for JKS to PKCS12 (Bug 1124352/1124353/1124352)
OTHER
– Update Java to 1.8.0_202 (Bug 1125069)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.2
November 2018
NICI – 3.1.0-1
Azul JRE 1.8.0_181
Jquery – 3.3.1
Jquery UI – 1.12.1
Bootstrap – 4.3.1
FRAMEWORK
– XSS vulnerabilities resolved (Bug 945869) (CVE-2018-17949)
OTHER
– Install now manages Tomcat service via “novell-tomcat8-service.service” on systemd.
– SDK updated (Bug 1085577)
– Workstation would repair Microsoft Visual C++ 2012 on every launch (Bug 1086570)
– Jquery, Jquery UI and Bootstrap updated to resolve security vulnerabilities (Bug 1096366)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.1.1
September 2018
Tomcat 8.5.32
Java 1.8.0_181
FRAMEWORK
– Tomcat updated to 8.5.32 (Bug 1103143) (CVE-2018-8037 CVE-2018-1336 CVE-2018-8034)
OTHER
– Update JRE version to 1.8.0_181 (Bug 1107600) (CVEs in Oracle July 2018 Update Advisory)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.1
June 2018
Tomcat 8.5.30
JRE 1.8.0_172
FRAMEWORK
– Security vulnerability: multiple XSS weaknesses resolved (Bug 1079563/1080897) (CVE-2018-12462)
– Correct querying of latest plugins against those available (Bug 1094292)
OTHER
– Enhancement: RHEL 7.5 now supported (Bug 1093801)
– Login failure events look the same as those that complete (Bug 1080091)
– Installation returns fatal error due to version mismatch on libstdc++ (Bug 1088289)
– Windows installation not installing NICI if VC++ is already on server (Bug 1094012)
– A reinstall returns the SSL port selected is not valid or in use (Bug 1092676)
– Maxiumum version used to prevent duplicate plugins from being shown (Bug 1092674)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.1
March 2018
Tomcat 8.5.27
JRE 1.8.0_162
FRAMEWORK
– Potential XSS vulnerability closed (Bug 1063334) (CVE-2018-1347)
– 625 error when browsing a NSS directory on a cluster volume in iManager (Bug 1010818)
PLUGINS
– Secure transfer for plugin downloads (Bug 149319/1056490/1056487)
– Error -601 when setting the simple password for a user object having il8n characters in its name (Bug 1039287)
– Partition mgt: unable to add R/W replica when using a different locale (Bug 1003550)
OTHER
– Upgrades: NAudit and XDAS configuration file is getting reset (Bug 1010379)
– HSTS filter has been added in iManager web.xml file to enable Strict-Transport-Security (Bug 1045513) (CVE-2018-1344)
– Localization Fixes (930696/957746/930662/956947/960824/957256/957747/960797/960821/960822/960822/960823/960825/1079576)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.4
September 2017
Tomcat 8.0.45
JVM 1.8.0_144
NICI 3.0.3
FRAMEWORK
– Enhancement: RHEL 7.4 platform added (Bug 1058665)
– Enhancement: Windows 2016 support added (Bug 1025843)
– Timezone attribute is not interpreted correctly (Bug 1028890)
– Warning message overlapping with the driver name in the Driver Cache Inspector page (Bug 880032)
– “Cannot add empty strings” message when canceling changes (Bug 1034833)
– “Illegal character range near index 110” seen in driver’s status log (Bug 1038076)
– After selecting more than 100-300 objects no task is presented when clicking the button (Bug 1049152)
– Pop is thrown ‘value entered must be between 1 and 365’ after selecting another tab modifying user (Bug 1050586)
– Server redirection not working correctly when downloading plugins (Bug 1050868)
– Cannot uninstall plugins if both iManager Workstation 3.x and 2.77.x are installed on the same workstation (Bug 1053408)
– Object selector not honoring results per page setting (Bug 1042139)
– XSS attack hole closed (Bug 1052480) (CVE-2017-9276: internally found)
OTHER
– Audit: iManager is failing to Connect to Sentinel when Audit Connector is in STRICT mode (Bug 1022794)
– Upgrades left behind old iManager and plugin-base npms (Bug 870414)
– Some plugins could not be uninstalled (Bug 1037836)
– Tomcat updated (Bug 1048460)
– Java update (Bug 1049613)
– NICI updated (Bug 1052693)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.3.2 (303 Patch 2)
July 2017
Tomcat 8.0.44
JVM 1.8.0_131
FRAMEWORK
– Reflected XSS vulnerabilities (Bug 1038679) (CVE-2017-7425)
– Views: unable to add an IP address restriction to a user object (Bug 1030616)
TOMCAT
– Update Tomcat to 8.0.44 (Bug 1046831) (CVE-2017-5664,CVE-2017-5648,CVE-2017-5647,CVE-2016-8735,CVE-2016-6816)
JVM
– Updated to 1.8.0_131 (Bug 1045911)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.3.1 (303 Patch 1)
May 2017
– Potential webshell upload vulnerability (Bug 1027619) (CVE-2017-7432)
– Framework: persistent XSS vulnerability (Bug 1030691) (CVE-2017-7430)
– Object Mgt: vulnerable to persistent XSRF (Bug 1030692) (CVE-2017-7431)
– Tomcat: issue identified in the renegotiation of connection parameters (Bug 1029431) (CVE-2017-7428)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.3
April 2017
NICI: 3.0.2
Tomcat: 8.0.37-1
Java: 1.8.0_112-1
FRAMEWORK
– iManager server cannot connect to Sentinel using the embedded private key. (Bug 1021637) (CVE-2017-5189)
– View objects, search, object, click on object and the Modify Object operation is not seen.. (Bug 1026609)
– Red Hat 7.3 now supported. (Bug 1027056)
Tomcat
– Time delay different between an invalid user and password. (Bug 1017876)
– iManager install log now masks jre default keystore password. (Bug 1023991)
– Nessscan reports in SSL 64-bit Block Size Cipher Suites Supported (SWEET32) in iManager 3.0.2. (Bug 1010732)
OTHER
– iManager updates overwritting the config.xml file. (Bug 1010839)
– Plugin installation: cannot uninstall the password management plugins. (Bug 1020092)
– Cannot install IDM 4.6 plugins on an upgraded iManager setup. (Bug 1022565)
– Configure: upgrade is not preserving configuration leading to Jcache not starting. (Bug 1024529)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.2.1
February 2017
OTHER
– JCE unlimited cipher option jar no longer installed by default for ECDSA384 certificates. (Bug 1023402/1023024)
For more informaton: https://www.netiq.com/documentation/imanager-3/imanager_admin/data/b8qrh89.html#btubnyq
NAUDITXDAS
– iManager failing to connect Sentinel 7.4.2 and above version (Bug 1019789) (CVE-2017-5186)
– iManager is failing to Connect to Sentinel when Audit Connector is in Strict mode (Bug 1024955)
Auditing collectors, platform agents, instrumentation, etc. have been modified to use eDirectory certificates in order to connect to Sentinel servers versioned 7.4.2 and above. The previously used embedded certificate can no longer be used with Java 1.8. This certificate issue has required the modification of the following components. The updated files can be found on the respective product’s patch page.
1019041/987162 – eDir
1021637/1019789 – iMgr
999186/1019573 – PA
10195431011208 – IDM
1021391 – RBPM
1013758 – Naudit connector
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.2
November 2016
Tomcat: 8.0.37
Java: 1.8.0_102
PA: PA 2011.1r4 2.0.2-79
FRAMEWORK
– Added support for SLES12 SP2 (Bug 994329)
– Added support for RH 6.8 (Bug 991880)
– Consume Tomcat: 8.0.37 (Bug 997226/1004423)
– Warning message ‘Profile Missing’ pseen when launching iManager Windows Workstation (Bug 939510)
– iManager no longer installs 32-bit NICI packages (Bug 944512)
– Multiple NICI install issues resolved (Bug 966589/994068/994037)
– Getting “Error-634” error message when clicking on “Connections” tab under LDAP options (Bug 966672)
– Consume latest Java: 1.8.0_102 (Bug 995946/1006942)
– iManager displays secondary loopback address on completion (Bug 999237)
– Applying patch 4 to iManager 277 removes groups from novlwww user (Bug 1002179)
– Consume latest PA: 2011.1r4 2.0.2-79 (Bug 1005510)
– iManager uninstall does not cleanly uninstall its components (Bug 984889/986022/1002720)
– Need to mask IDP server backtrace when exceptions occur (Bug 992108)
– Some functions prone to Reflected Cross-Site Scripting attacks (Bug 992110)
– Cross-Site-Request-Forgery-Prevention not Working properly under heavy load (Bug 992111)
– Potential command execution vulnerability resolved (Bug 946043)
Tomcat
– Consume latest Tomcat: 8.0.37 (Bug 1002722)
– Tomcat 8.x vulnerable to CVE-2015-5351
– Nessus scan reports in SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) (Bug 963892) (CVE-2015-4000)
– Process runs from system account (Bug 992106)
OTHER
– Plugin Installation: .htaccess exists and is not restricted on the NAM admin console server (Bug 979235)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.1
June 2016
Tomcat 8.0.22
NICI: 3.0.1
JAVA: 1.8.0_77
FRAMEWORK
– Improvements made to only display available plugins that are compatible. (Bug 928695/973975)
– Enhancement: IDM support has been added. (Bug 970007)
– Safeguard iManager framework binaries during plugin uninstall process. (Bug 977353)
– iManager patch installer is not creating patch install logs. (Bug 906564)
TOMCAT
– Nessus scan reporting iManager is potentially vulnerable to Clickjacking. (OTG-CLIENT-009) (Bug 963890)
– iManager not listening after rebooting RHEL 7.2 server. (Bug 975678)
JAVA
– Updated to 1.8.0_77. (Bug 973128)
PLUGINS
– Cannot remove dash from phone number. (Bug 972633)
OTHER
– Installation is now prevented if a version of eDirectory lower than 9.0 is present. (Bug 976133)
– Admin Guide has been revised. (Bug 985323)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0 FCS
January 2016
Tomcat 8.0.22
NICI: 3.0
JAVA: 1.8.0_66
OpenLDAP: 2.1.25
FRAMEWORK
– Enhancement: Tomcat 8 support. (Bug 932438)
– Enhancement: Multi-tree support. (Bug 921490)
– Enhancement: TLS 1.2 support. (Bug 922920)
– Enhancement: Suite B support. (Bug 920352)
– Enhancement: UAP support added. (Bug 921046)
– Enhancement: iManager now supports EC certificates and enforces cipher options 128 and 192. (Bug 919946)
– Enhancement: iManager 3.0 now uses NICI 3.0. (Bug 958575)
– Ebaclientinit utility now bundled with iManager so the uap.p12 certificate can be downloaded. (Bug 920328/927784)
– Platforms tested: SLES12 SP1, SLES 11 SP4, SLED 12, OpenSUSE 13.2, Redhat 7.1 and 7.2. (Bug 914251/927929/949916/958468)
– Group plugin throws an error if there are unspecified addresses defined on the LDAP server object. (Bug 923881)
– Windows based iManager using IE 11 browser is not populating tree view objects. (Bug 881861)
– Objects not displaying in the right pane in view objects link. (Bug 902177)
– The platform.xml file is no longer used. (Bug 926495)
– Plugins updated to allow for nesting enhanced nested groups. (Bug 962772)
– Plugins that are not compatible with iManager 3.0 should not display as available. (Bug 928695)
TOMCAT
– Enhancement: standalone iManager now works with 64bit Java 1.8. (Bug 766367/953133)
INSTALL
– Suite B options added to silent install. (Bug 920829/932012)
______________________________________________________________________________________________________________________
Related:
Untitled
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.5
August 2021
Tomcat 9.0.50
Azul OpenJDK 1.8.0_292
Issues resolved in iManager 3.2.5
August 2021
Tomcat 9.0.50
Azul OpenJDK 1.8.0_292
– Remote code execution PSV (Bug 321412)
– Local privilege escalation (Bug 321413)
– Missing HTTP strict transport security (HSTS) (Bug 321414)
– Stack trace details exposed (Bug 321415)
– Command injection PSV (Bug 325081)
– Updated Azul JDK to 1.8.0_292 (Bug 329408/377011)
– Updated Tomcat to 9.0.50 (Bug 376034)
– XSS PSV (Bug 1172729)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.4.1
April 2021
OpenSSL 1.0.2y
This version of iManager contains NICI 3.2.0 which has a different FIPS 140-2 validated cryptography library with an active certificate.
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.4
February 2021
Azul OpenJDK 1.8.0_272
Tomcat 9.0.41
OpenSSL 1.0.2x
– Added support for RHEL 8.3 and 7.9
– Installing iManager in the Non-Default Location Fails on Windows (Bug 236787)
– Fails to Display Appropriate Error Message When Login Fails with a Zero Length Password (Bug 299099)
– Non-default location install fails on Windows (Bug 236787)
– Older version of pki plugin was getting installed when IDM and PKI plugin are installed together (Bug 236905)
– JVM crashes frequently due to XSS code (Bug 236983)
– Error: “CertInfo…………..-1 javax.naming.ldap.LdapName cannot be cast creating certificates (Bug 237877)
– Error: InfoFactory………484 For input string: “default” error message removed from catalina.out (Bug 237878)
– Tomcat8 was running as ‘Local System’ on Windows 2012 Server (Bug 237889)
– Error: (UniqueSPIException.java:103) seen in catalina.out (Bug 237945)
– Jquery PSV resolved (Bug 237965)
– Firefox 80.0.1 shows a greyed out [OK] button for plugin installation as well as for Modify Object operations (Bug 280078)
– Crash when a zero length password was used for login (Bug 299099)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.3
September 2020
Tomcat 9.0.37
September 2020
Tomcat 9.0.37
– PSV: Vulnerability in Tomcat 9.0.36 and earlier (259170/1172699) (CVE-2020-13934)
– Files and folders are not accessible through iManager workstation when NCP encryption is set to “enforce” (236401 – 1166763)
– Plugins: SecretStore plugin now available for iManager 3.x (236048 – 1160359)
– Localization fixes (237861 – 1131552)
– Docker: baseOS verion for iManager 323 container is changed into opensuse/leap:15.2 (238232)
– Revert OES fixes: bug 1103017 and bug 1166185 (264024)
– Files and folders are not accessible through iManager workstation when NCP encryption is set to “enforce” (236401 – 1166763)
– Plugins: SecretStore plugin now available for iManager 3.x (236048 – 1160359)
– Localization fixes (237861 – 1131552)
– Docker: baseOS verion for iManager 323 container is changed into opensuse/leap:15.2 (238232)
– Revert OES fixes: bug 1103017 and bug 1166185 (264024)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.2
May 2020
Tomcat 9.0.33
Zulu 8.46.0.19
CORE
– Correct error returned (-255) when enforcement of MFA is enabled (Bug 1163490)
– When adding plugins from local disk the connection is getting reset (Bug 1165890)
– Uploading a user’s jpg causing high util and never completes (Bug 1146727)
– Modifying an attribute using the Other tab causing JAVA high utilization (Bug 1154262)
– High utilization and delays when switching out of the Other tab (Bug 1160009)
– Start.sh script within the iManager container is running with high CPU utilization (Bug 1154422)
TOMCAT
– Potential Security vulnerability, AJP ports disabled (KB 7024475) (CVE-2019-17569) (Bug 1165858/1165323)
– Potential Security vulnerability, possible HTTP request smuggling (CVE-2020-1935) (Bug 1165860)
– Potential Security vulnerability,
OTHER
– After installing the PKI plugin cannot login to iManager: libssl.so.1.0.0-mf not found error (Bug 1164233)
– Documentation updated on which attributes to exclude to optimize auditing (Bug 1114712)
– Potential Security vulnerability fixed in Java (CVE-2020-2604) (Bug 1165863)
– Azul JDK updated to 1.8.0_252 (8u252) (Bug 1170054)
– Windows Install: Tomcat fails to start if instance resides on non-system disk (Bug 1102803)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.1.2
March 2020
Issues resolved in iManager 3.2.1.2
March 2020
– Disable AJP ports by default (CVE-2020-1938) (Bug 1165323)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.1.1
February 2020
OpenSSL 1.0.2t
Tomcat 9.0.30
NICI 3.1.0-2
Zulu 8.42.0.23
– New JDK to resolve a memory leak in crypto provider verification (Zulu-5050)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.1
February 2020
OpenSSL 1.0.2t
Tomcat 9.0.30
NICI 3.1.0-2
Zulu 8.42.0.21
CORE
– Catalina.out file does not rotate on RHEL 7.X (Bug 1110755/1156965/)
TOMCAT
– Nessus reports CVE-2019-17563 (Bug 1161866)
– Do not print stack on an exception (Bug 1150296)
– Transport error setting UP – delete old iMKS trust store file on upgrade (Bug 1135218)
– Selecting EBA plugin in OES 2018 cores Tomcat (Bug 1114919)
OTHER
– Incorrect error thrown in ICE with wrong password (Bug 1156516)
– Collector: vendor field changed back to Novell (Bug 1108930)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2
November 2019
TOMCAT
– XSS vulnerability in Tomcat bootstrap (Bug 1129742) (CVE-2019-8331)
– Tomcat service not restarting when using systemctl (Bug 1149042)
OTHER
– Enhancement: now certified on Red Hat 8 and SLES 15 SP1 (Bug 1149042)
– Selecting group from search results opens modify resource page instead of modify group (Bug 1128071)
– Install: message of installing Visual C++ suppressed during silent installation (Bug 1123849)
– Install: .p12 file’s ownership changed to novlwww for keystore file (Bug 969516)
– Various localization fixes (Bug 1076952/1077058/1077031/1082237/1076943)
– Collector: proper error handling when a user enters LDAP format in username field (Bug 1132253)
– Plugins: security vulnerability – disable stack trace in the response (Bug 1136482)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.4
May 2019
ENGINE
– OpenSSL updated to 1.0.2r (Bug 1128512) (CVE-2019-1559)
OTHER
– Tomcat: updated to version 8.5.40 (Bug 1125593)
– The “Success” message is not seen in several tasks using non-English (Bug 1103317)
– iManager Plugin Studio breaks special characters when using item order list (Bug 1108340)
– Internally found vulnerability in DFS plugin (Bug 1127718)
– Documentation changes to clarify managing Tomcat on init.d and systemd based OS’s (Bug 1132703)
– Dependancies on deprecated utilties removed (Bug 1128860)
– Updated Update AZUL JRE to 1.8.0_212
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.3
March 2019
Azul JRE 1.8.0_202
FRAMEWORK
– Tree view content goes into an infinite loop causing JAVA high CPU utilization (Bug 1105489)
– Unable to search for user with umlaut ö (Bug 1010785)
TOMCAT
– Email template functionality in IDM is now resolved (Bug 1099969)
– Tomcat failing to install on Red Hat 7.6 (Bug 11247191123841)
– Keystore change for JKS to PKCS12 (Bug 1124352/1124353/1124352)
OTHER
– Update Java to 1.8.0_202 (Bug 1125069)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.2
November 2018
NICI – 3.1.0-1
Azul JRE 1.8.0_181
Jquery – 3.3.1
Jquery UI – 1.12.1
Bootstrap – 4.3.1
FRAMEWORK
– XSS vulnerabilities resolved (Bug 945869) (CVE-2018-17949)
OTHER
– Install now manages Tomcat service via “novell-tomcat8-service.service” on systemd.
– SDK updated (Bug 1085577)
– Workstation would repair Microsoft Visual C++ 2012 on every launch (Bug 1086570)
– Jquery, Jquery UI and Bootstrap updated to resolve security vulnerabilities (Bug 1096366)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.1.1
September 2018
Tomcat 8.5.32
Java 1.8.0_181
FRAMEWORK
– Tomcat updated to 8.5.32 (Bug 1103143) (CVE-2018-8037 CVE-2018-1336 CVE-2018-8034)
OTHER
– Update JRE version to 1.8.0_181 (Bug 1107600) (CVEs in Oracle July 2018 Update Advisory)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.1
June 2018
Tomcat 8.5.30
JRE 1.8.0_172
FRAMEWORK
– Security vulnerability: multiple XSS weaknesses resolved (Bug 1079563/1080897) (CVE-2018-12462)
– Correct querying of latest plugins against those available (Bug 1094292)
OTHER
– Enhancement: RHEL 7.5 now supported (Bug 1093801)
– Login failure events look the same as those that complete (Bug 1080091)
– Installation returns fatal error due to version mismatch on libstdc++ (Bug 1088289)
– Windows installation not installing NICI if VC++ is already on server (Bug 1094012)
– A reinstall returns the SSL port selected is not valid or in use (Bug 1092676)
– Maxiumum version used to prevent duplicate plugins from being shown (Bug 1092674)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.1
March 2018
Tomcat 8.5.27
JRE 1.8.0_162
FRAMEWORK
– Potential XSS vulnerability closed (Bug 1063334) (CVE-2018-1347)
– 625 error when browsing a NSS directory on a cluster volume in iManager (Bug 1010818)
PLUGINS
– Secure transfer for plugin downloads (Bug 149319/1056490/1056487)
– Error -601 when setting the simple password for a user object having il8n characters in its name (Bug 1039287)
– Partition mgt: unable to add R/W replica when using a different locale (Bug 1003550)
OTHER
– Upgrades: NAudit and XDAS configuration file is getting reset (Bug 1010379)
– HSTS filter has been added in iManager web.xml file to enable Strict-Transport-Security (Bug 1045513) (CVE-2018-1344)
– Localization Fixes (930696/957746/930662/956947/960824/957256/957747/960797/960821/960822/960822/960823/960825/1079576)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.4
September 2017
Tomcat 8.0.45
JVM 1.8.0_144
NICI 3.0.3
FRAMEWORK
– Enhancement: RHEL 7.4 platform added (Bug 1058665)
– Enhancement: Windows 2016 support added (Bug 1025843)
– Timezone attribute is not interpreted correctly (Bug 1028890)
– Warning message overlapping with the driver name in the Driver Cache Inspector page (Bug 880032)
– “Cannot add empty strings” message when canceling changes (Bug 1034833)
– “Illegal character range near index 110” seen in driver’s status log (Bug 1038076)
– After selecting more than 100-300 objects no task is presented when clicking the button (Bug 1049152)
– Pop is thrown ‘value entered must be between 1 and 365’ after selecting another tab modifying user (Bug 1050586)
– Server redirection not working correctly when downloading plugins (Bug 1050868)
– Cannot uninstall plugins if both iManager Workstation 3.x and 2.77.x are installed on the same workstation (Bug 1053408)
– Object selector not honoring results per page setting (Bug 1042139)
– XSS attack hole closed (Bug 1052480) (CVE-2017-9276: internally found)
OTHER
– Audit: iManager is failing to Connect to Sentinel when Audit Connector is in STRICT mode (Bug 1022794)
– Upgrades left behind old iManager and plugin-base npms (Bug 870414)
– Some plugins could not be uninstalled (Bug 1037836)
– Tomcat updated (Bug 1048460)
– Java update (Bug 1049613)
– NICI updated (Bug 1052693)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.3.2 (303 Patch 2)
July 2017
Tomcat 8.0.44
JVM 1.8.0_131
FRAMEWORK
– Reflected XSS vulnerabilities (Bug 1038679) (CVE-2017-7425)
– Views: unable to add an IP address restriction to a user object (Bug 1030616)
TOMCAT
– Update Tomcat to 8.0.44 (Bug 1046831) (CVE-2017-5664,CVE-2017-5648,CVE-2017-5647,CVE-2016-8735,CVE-2016-6816)
JVM
– Updated to 1.8.0_131 (Bug 1045911)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.3.1 (303 Patch 1)
May 2017
– Potential webshell upload vulnerability (Bug 1027619) (CVE-2017-7432)
– Framework: persistent XSS vulnerability (Bug 1030691) (CVE-2017-7430)
– Object Mgt: vulnerable to persistent XSRF (Bug 1030692) (CVE-2017-7431)
– Tomcat: issue identified in the renegotiation of connection parameters (Bug 1029431) (CVE-2017-7428)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.3
April 2017
NICI: 3.0.2
Tomcat: 8.0.37-1
Java: 1.8.0_112-1
FRAMEWORK
– iManager server cannot connect to Sentinel using the embedded private key. (Bug 1021637) (CVE-2017-5189)
– View objects, search, object, click on object and the Modify Object operation is not seen.. (Bug 1026609)
– Red Hat 7.3 now supported. (Bug 1027056)
Tomcat
– Time delay different between an invalid user and password. (Bug 1017876)
– iManager install log now masks jre default keystore password. (Bug 1023991)
– Nessscan reports in SSL 64-bit Block Size Cipher Suites Supported (SWEET32) in iManager 3.0.2. (Bug 1010732)
OTHER
– iManager updates overwritting the config.xml file. (Bug 1010839)
– Plugin installation: cannot uninstall the password management plugins. (Bug 1020092)
– Cannot install IDM 4.6 plugins on an upgraded iManager setup. (Bug 1022565)
– Configure: upgrade is not preserving configuration leading to Jcache not starting. (Bug 1024529)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.2.1
February 2017
OTHER
– JCE unlimited cipher option jar no longer installed by default for ECDSA384 certificates. (Bug 1023402/1023024)
For more informaton: https://www.netiq.com/documentation/imanager-3/imanager_admin/data/b8qrh89.html#btubnyq
NAUDITXDAS
– iManager failing to connect Sentinel 7.4.2 and above version (Bug 1019789) (CVE-2017-5186)
– iManager is failing to Connect to Sentinel when Audit Connector is in Strict mode (Bug 1024955)
Auditing collectors, platform agents, instrumentation, etc. have been modified to use eDirectory certificates in order to connect to Sentinel servers versioned 7.4.2 and above. The previously used embedded certificate can no longer be used with Java 1.8. This certificate issue has required the modification of the following components. The updated files can be found on the respective product’s patch page.
1019041/987162 – eDir
1021637/1019789 – iMgr
999186/1019573 – PA
10195431011208 – IDM
1021391 – RBPM
1013758 – Naudit connector
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.2
November 2016
Tomcat: 8.0.37
Java: 1.8.0_102
PA: PA 2011.1r4 2.0.2-79
FRAMEWORK
– Added support for SLES12 SP2 (Bug 994329)
– Added support for RH 6.8 (Bug 991880)
– Consume Tomcat: 8.0.37 (Bug 997226/1004423)
– Warning message ‘Profile Missing’ pseen when launching iManager Windows Workstation (Bug 939510)
– iManager no longer installs 32-bit NICI packages (Bug 944512)
– Multiple NICI install issues resolved (Bug 966589/994068/994037)
– Getting “Error-634” error message when clicking on “Connections” tab under LDAP options (Bug 966672)
– Consume latest Java: 1.8.0_102 (Bug 995946/1006942)
– iManager displays secondary loopback address on completion (Bug 999237)
– Applying patch 4 to iManager 277 removes groups from novlwww user (Bug 1002179)
– Consume latest PA: 2011.1r4 2.0.2-79 (Bug 1005510)
– iManager uninstall does not cleanly uninstall its components (Bug 984889/986022/1002720)
– Need to mask IDP server backtrace when exceptions occur (Bug 992108)
– Some functions prone to Reflected Cross-Site Scripting attacks (Bug 992110)
– Cross-Site-Request-Forgery-Prevention not Working properly under heavy load (Bug 992111)
– Potential command execution vulnerability resolved (Bug 946043)
Tomcat
– Consume latest Tomcat: 8.0.37 (Bug 1002722)
– Tomcat 8.x vulnerable to CVE-2015-5351
– Nessus scan reports in SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) (Bug 963892) (CVE-2015-4000)
– Process runs from system account (Bug 992106)
OTHER
– Plugin Installation: .htaccess exists and is not restricted on the NAM admin console server (Bug 979235)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.1
June 2016
Tomcat 8.0.22
NICI: 3.0.1
JAVA: 1.8.0_77
FRAMEWORK
– Improvements made to only display available plugins that are compatible. (Bug 928695/973975)
– Enhancement: IDM support has been added. (Bug 970007)
– Safeguard iManager framework binaries during plugin uninstall process. (Bug 977353)
– iManager patch installer is not creating patch install logs. (Bug 906564)
TOMCAT
– Nessus scan reporting iManager is potentially vulnerable to Clickjacking. (OTG-CLIENT-009) (Bug 963890)
– iManager not listening after rebooting RHEL 7.2 server. (Bug 975678)
JAVA
– Updated to 1.8.0_77. (Bug 973128)
PLUGINS
– Cannot remove dash from phone number. (Bug 972633)
OTHER
– Installation is now prevented if a version of eDirectory lower than 9.0 is present. (Bug 976133)
– Admin Guide has been revised. (Bug 985323)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0 FCS
January 2016
Tomcat 8.0.22
NICI: 3.0
JAVA: 1.8.0_66
OpenLDAP: 2.1.25
FRAMEWORK
– Enhancement: Tomcat 8 support. (Bug 932438)
– Enhancement: Multi-tree support. (Bug 921490)
– Enhancement: TLS 1.2 support. (Bug 922920)
– Enhancement: Suite B support. (Bug 920352)
– Enhancement: UAP support added. (Bug 921046)
– Enhancement: iManager now supports EC certificates and enforces cipher options 128 and 192. (Bug 919946)
– Enhancement: iManager 3.0 now uses NICI 3.0. (Bug 958575)
– Ebaclientinit utility now bundled with iManager so the uap.p12 certificate can be downloaded. (Bug 920328/927784)
– Platforms tested: SLES12 SP1, SLES 11 SP4, SLED 12, OpenSUSE 13.2, Redhat 7.1 and 7.2. (Bug 914251/927929/949916/958468)
– Group plugin throws an error if there are unspecified addresses defined on the LDAP server object. (Bug 923881)
– Windows based iManager using IE 11 browser is not populating tree view objects. (Bug 881861)
– Objects not displaying in the right pane in view objects link. (Bug 902177)
– The platform.xml file is no longer used. (Bug 926495)
– Plugins updated to allow for nesting enhanced nested groups. (Bug 962772)
– Plugins that are not compatible with iManager 3.0 should not display as available. (Bug 928695)
TOMCAT
– Enhancement: standalone iManager now works with 64bit Java 1.8. (Bug 766367/953133)
INSTALL
– Suite B options added to silent install. (Bug 920829/932012)
______________________________________________________________________________________________________________________
Related:
Untitled
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.5
August 2021
Tomcat 9.0.50
Azul OpenJDK 1.8.0_292
Issues resolved in iManager 3.2.5
August 2021
Tomcat 9.0.50
Azul OpenJDK 1.8.0_292
– Remote code execution PSV (Bug 321412)
– Local privilege escalation (Bug 321413)
– Missing HTTP strict transport security (HSTS) (Bug 321414)
– Stack trace details exposed (Bug 321415)
– Command injection PSV (Bug 325081)
– Updated Azul JDK to 1.8.0_292 (Bug 329408/377011)
– Updated Tomcat to 9.0.50 (Bug 376034)
– XSS PSV (Bug 1172729)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.4.1
April 2021
OpenSSL 1.0.2y
This version of iManager contains NICI 3.2.0 which has a different FIPS 140-2 validated cryptography library with an active certificate.
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.4
February 2021
Azul OpenJDK 1.8.0_272
Tomcat 9.0.41
OpenSSL 1.0.2x
– Added support for RHEL 8.3 and 7.9
– Installing iManager in the Non-Default Location Fails on Windows (Bug 236787)
– Fails to Display Appropriate Error Message When Login Fails with a Zero Length Password (Bug 299099)
– Non-default location install fails on Windows (Bug 236787)
– Older version of pki plugin was getting installed when IDM and PKI plugin are installed together (Bug 236905)
– JVM crashes frequently due to XSS code (Bug 236983)
– Error: “CertInfo…………..-1 javax.naming.ldap.LdapName cannot be cast creating certificates (Bug 237877)
– Error: InfoFactory………484 For input string: “default” error message removed from catalina.out (Bug 237878)
– Tomcat8 was running as ‘Local System’ on Windows 2012 Server (Bug 237889)
– Error: (UniqueSPIException.java:103) seen in catalina.out (Bug 237945)
– Jquery PSV resolved (Bug 237965)
– Firefox 80.0.1 shows a greyed out [OK] button for plugin installation as well as for Modify Object operations (Bug 280078)
– Crash when a zero length password was used for login (Bug 299099)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.3
September 2020
Tomcat 9.0.37
September 2020
Tomcat 9.0.37
– PSV: Vulnerability in Tomcat 9.0.36 and earlier (259170/1172699) (CVE-2020-13934)
– Files and folders are not accessible through iManager workstation when NCP encryption is set to “enforce” (236401 – 1166763)
– Plugins: SecretStore plugin now available for iManager 3.x (236048 – 1160359)
– Localization fixes (237861 – 1131552)
– Docker: baseOS verion for iManager 323 container is changed into opensuse/leap:15.2 (238232)
– Revert OES fixes: bug 1103017 and bug 1166185 (264024)
– Files and folders are not accessible through iManager workstation when NCP encryption is set to “enforce” (236401 – 1166763)
– Plugins: SecretStore plugin now available for iManager 3.x (236048 – 1160359)
– Localization fixes (237861 – 1131552)
– Docker: baseOS verion for iManager 323 container is changed into opensuse/leap:15.2 (238232)
– Revert OES fixes: bug 1103017 and bug 1166185 (264024)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.2
May 2020
Tomcat 9.0.33
Zulu 8.46.0.19
CORE
– Correct error returned (-255) when enforcement of MFA is enabled (Bug 1163490)
– When adding plugins from local disk the connection is getting reset (Bug 1165890)
– Uploading a user’s jpg causing high util and never completes (Bug 1146727)
– Modifying an attribute using the Other tab causing JAVA high utilization (Bug 1154262)
– High utilization and delays when switching out of the Other tab (Bug 1160009)
– Start.sh script within the iManager container is running with high CPU utilization (Bug 1154422)
TOMCAT
– Potential Security vulnerability, AJP ports disabled (KB 7024475) (CVE-2019-17569) (Bug 1165858/1165323)
– Potential Security vulnerability, possible HTTP request smuggling (CVE-2020-1935) (Bug 1165860)
– Potential Security vulnerability,
OTHER
– After installing the PKI plugin cannot login to iManager: libssl.so.1.0.0-mf not found error (Bug 1164233)
– Documentation updated on which attributes to exclude to optimize auditing (Bug 1114712)
– Potential Security vulnerability fixed in Java (CVE-2020-2604) (Bug 1165863)
– Azul JDK updated to 1.8.0_252 (8u252) (Bug 1170054)
– Windows Install: Tomcat fails to start if instance resides on non-system disk (Bug 1102803)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.1.2
March 2020
Issues resolved in iManager 3.2.1.2
March 2020
– Disable AJP ports by default (CVE-2020-1938) (Bug 1165323)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.1.1
February 2020
OpenSSL 1.0.2t
Tomcat 9.0.30
NICI 3.1.0-2
Zulu 8.42.0.23
– New JDK to resolve a memory leak in crypto provider verification (Zulu-5050)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.1
February 2020
OpenSSL 1.0.2t
Tomcat 9.0.30
NICI 3.1.0-2
Zulu 8.42.0.21
CORE
– Catalina.out file does not rotate on RHEL 7.X (Bug 1110755/1156965/)
TOMCAT
– Nessus reports CVE-2019-17563 (Bug 1161866)
– Do not print stack on an exception (Bug 1150296)
– Transport error setting UP – delete old iMKS trust store file on upgrade (Bug 1135218)
– Selecting EBA plugin in OES 2018 cores Tomcat (Bug 1114919)
OTHER
– Incorrect error thrown in ICE with wrong password (Bug 1156516)
– Collector: vendor field changed back to Novell (Bug 1108930)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2
November 2019
TOMCAT
– XSS vulnerability in Tomcat bootstrap (Bug 1129742) (CVE-2019-8331)
– Tomcat service not restarting when using systemctl (Bug 1149042)
OTHER
– Enhancement: now certified on Red Hat 8 and SLES 15 SP1 (Bug 1149042)
– Selecting group from search results opens modify resource page instead of modify group (Bug 1128071)
– Install: message of installing Visual C++ suppressed during silent installation (Bug 1123849)
– Install: .p12 file’s ownership changed to novlwww for keystore file (Bug 969516)
– Various localization fixes (Bug 1076952/1077058/1077031/1082237/1076943)
– Collector: proper error handling when a user enters LDAP format in username field (Bug 1132253)
– Plugins: security vulnerability – disable stack trace in the response (Bug 1136482)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.4
May 2019
ENGINE
– OpenSSL updated to 1.0.2r (Bug 1128512) (CVE-2019-1559)
OTHER
– Tomcat: updated to version 8.5.40 (Bug 1125593)
– The “Success” message is not seen in several tasks using non-English (Bug 1103317)
– iManager Plugin Studio breaks special characters when using item order list (Bug 1108340)
– Internally found vulnerability in DFS plugin (Bug 1127718)
– Documentation changes to clarify managing Tomcat on init.d and systemd based OS’s (Bug 1132703)
– Dependancies on deprecated utilties removed (Bug 1128860)
– Updated Update AZUL JRE to 1.8.0_212
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.3
March 2019
Azul JRE 1.8.0_202
FRAMEWORK
– Tree view content goes into an infinite loop causing JAVA high CPU utilization (Bug 1105489)
– Unable to search for user with umlaut ö (Bug 1010785)
TOMCAT
– Email template functionality in IDM is now resolved (Bug 1099969)
– Tomcat failing to install on Red Hat 7.6 (Bug 11247191123841)
– Keystore change for JKS to PKCS12 (Bug 1124352/1124353/1124352)
OTHER
– Update Java to 1.8.0_202 (Bug 1125069)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.2
November 2018
NICI – 3.1.0-1
Azul JRE 1.8.0_181
Jquery – 3.3.1
Jquery UI – 1.12.1
Bootstrap – 4.3.1
FRAMEWORK
– XSS vulnerabilities resolved (Bug 945869) (CVE-2018-17949)
OTHER
– Install now manages Tomcat service via “novell-tomcat8-service.service” on systemd.
– SDK updated (Bug 1085577)
– Workstation would repair Microsoft Visual C++ 2012 on every launch (Bug 1086570)
– Jquery, Jquery UI and Bootstrap updated to resolve security vulnerabilities (Bug 1096366)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.1.1
September 2018
Tomcat 8.5.32
Java 1.8.0_181
FRAMEWORK
– Tomcat updated to 8.5.32 (Bug 1103143) (CVE-2018-8037 CVE-2018-1336 CVE-2018-8034)
OTHER
– Update JRE version to 1.8.0_181 (Bug 1107600) (CVEs in Oracle July 2018 Update Advisory)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.1
June 2018
Tomcat 8.5.30
JRE 1.8.0_172
FRAMEWORK
– Security vulnerability: multiple XSS weaknesses resolved (Bug 1079563/1080897) (CVE-2018-12462)
– Correct querying of latest plugins against those available (Bug 1094292)
OTHER
– Enhancement: RHEL 7.5 now supported (Bug 1093801)
– Login failure events look the same as those that complete (Bug 1080091)
– Installation returns fatal error due to version mismatch on libstdc++ (Bug 1088289)
– Windows installation not installing NICI if VC++ is already on server (Bug 1094012)
– A reinstall returns the SSL port selected is not valid or in use (Bug 1092676)
– Maxiumum version used to prevent duplicate plugins from being shown (Bug 1092674)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.1
March 2018
Tomcat 8.5.27
JRE 1.8.0_162
FRAMEWORK
– Potential XSS vulnerability closed (Bug 1063334) (CVE-2018-1347)
– 625 error when browsing a NSS directory on a cluster volume in iManager (Bug 1010818)
PLUGINS
– Secure transfer for plugin downloads (Bug 149319/1056490/1056487)
– Error -601 when setting the simple password for a user object having il8n characters in its name (Bug 1039287)
– Partition mgt: unable to add R/W replica when using a different locale (Bug 1003550)
OTHER
– Upgrades: NAudit and XDAS configuration file is getting reset (Bug 1010379)
– HSTS filter has been added in iManager web.xml file to enable Strict-Transport-Security (Bug 1045513) (CVE-2018-1344)
– Localization Fixes (930696/957746/930662/956947/960824/957256/957747/960797/960821/960822/960822/960823/960825/1079576)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.4
September 2017
Tomcat 8.0.45
JVM 1.8.0_144
NICI 3.0.3
FRAMEWORK
– Enhancement: RHEL 7.4 platform added (Bug 1058665)
– Enhancement: Windows 2016 support added (Bug 1025843)
– Timezone attribute is not interpreted correctly (Bug 1028890)
– Warning message overlapping with the driver name in the Driver Cache Inspector page (Bug 880032)
– “Cannot add empty strings” message when canceling changes (Bug 1034833)
– “Illegal character range near index 110” seen in driver’s status log (Bug 1038076)
– After selecting more than 100-300 objects no task is presented when clicking the button (Bug 1049152)
– Pop is thrown ‘value entered must be between 1 and 365’ after selecting another tab modifying user (Bug 1050586)
– Server redirection not working correctly when downloading plugins (Bug 1050868)
– Cannot uninstall plugins if both iManager Workstation 3.x and 2.77.x are installed on the same workstation (Bug 1053408)
– Object selector not honoring results per page setting (Bug 1042139)
– XSS attack hole closed (Bug 1052480) (CVE-2017-9276: internally found)
OTHER
– Audit: iManager is failing to Connect to Sentinel when Audit Connector is in STRICT mode (Bug 1022794)
– Upgrades left behind old iManager and plugin-base npms (Bug 870414)
– Some plugins could not be uninstalled (Bug 1037836)
– Tomcat updated (Bug 1048460)
– Java update (Bug 1049613)
– NICI updated (Bug 1052693)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.3.2 (303 Patch 2)
July 2017
Tomcat 8.0.44
JVM 1.8.0_131
FRAMEWORK
– Reflected XSS vulnerabilities (Bug 1038679) (CVE-2017-7425)
– Views: unable to add an IP address restriction to a user object (Bug 1030616)
TOMCAT
– Update Tomcat to 8.0.44 (Bug 1046831) (CVE-2017-5664,CVE-2017-5648,CVE-2017-5647,CVE-2016-8735,CVE-2016-6816)
JVM
– Updated to 1.8.0_131 (Bug 1045911)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.3.1 (303 Patch 1)
May 2017
– Potential webshell upload vulnerability (Bug 1027619) (CVE-2017-7432)
– Framework: persistent XSS vulnerability (Bug 1030691) (CVE-2017-7430)
– Object Mgt: vulnerable to persistent XSRF (Bug 1030692) (CVE-2017-7431)
– Tomcat: issue identified in the renegotiation of connection parameters (Bug 1029431) (CVE-2017-7428)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.3
April 2017
NICI: 3.0.2
Tomcat: 8.0.37-1
Java: 1.8.0_112-1
FRAMEWORK
– iManager server cannot connect to Sentinel using the embedded private key. (Bug 1021637) (CVE-2017-5189)
– View objects, search, object, click on object and the Modify Object operation is not seen.. (Bug 1026609)
– Red Hat 7.3 now supported. (Bug 1027056)
Tomcat
– Time delay different between an invalid user and password. (Bug 1017876)
– iManager install log now masks jre default keystore password. (Bug 1023991)
– Nessscan reports in SSL 64-bit Block Size Cipher Suites Supported (SWEET32) in iManager 3.0.2. (Bug 1010732)
OTHER
– iManager updates overwritting the config.xml file. (Bug 1010839)
– Plugin installation: cannot uninstall the password management plugins. (Bug 1020092)
– Cannot install IDM 4.6 plugins on an upgraded iManager setup. (Bug 1022565)
– Configure: upgrade is not preserving configuration leading to Jcache not starting. (Bug 1024529)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.2.1
February 2017
OTHER
– JCE unlimited cipher option jar no longer installed by default for ECDSA384 certificates. (Bug 1023402/1023024)
For more informaton: https://www.netiq.com/documentation/imanager-3/imanager_admin/data/b8qrh89.html#btubnyq
NAUDITXDAS
– iManager failing to connect Sentinel 7.4.2 and above version (Bug 1019789) (CVE-2017-5186)
– iManager is failing to Connect to Sentinel when Audit Connector is in Strict mode (Bug 1024955)
Auditing collectors, platform agents, instrumentation, etc. have been modified to use eDirectory certificates in order to connect to Sentinel servers versioned 7.4.2 and above. The previously used embedded certificate can no longer be used with Java 1.8. This certificate issue has required the modification of the following components. The updated files can be found on the respective product’s patch page.
1019041/987162 – eDir
1021637/1019789 – iMgr
999186/1019573 – PA
10195431011208 – IDM
1021391 – RBPM
1013758 – Naudit connector
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.2
November 2016
Tomcat: 8.0.37
Java: 1.8.0_102
PA: PA 2011.1r4 2.0.2-79
FRAMEWORK
– Added support for SLES12 SP2 (Bug 994329)
– Added support for RH 6.8 (Bug 991880)
– Consume Tomcat: 8.0.37 (Bug 997226/1004423)
– Warning message ‘Profile Missing’ pseen when launching iManager Windows Workstation (Bug 939510)
– iManager no longer installs 32-bit NICI packages (Bug 944512)
– Multiple NICI install issues resolved (Bug 966589/994068/994037)
– Getting “Error-634” error message when clicking on “Connections” tab under LDAP options (Bug 966672)
– Consume latest Java: 1.8.0_102 (Bug 995946/1006942)
– iManager displays secondary loopback address on completion (Bug 999237)
– Applying patch 4 to iManager 277 removes groups from novlwww user (Bug 1002179)
– Consume latest PA: 2011.1r4 2.0.2-79 (Bug 1005510)
– iManager uninstall does not cleanly uninstall its components (Bug 984889/986022/1002720)
– Need to mask IDP server backtrace when exceptions occur (Bug 992108)
– Some functions prone to Reflected Cross-Site Scripting attacks (Bug 992110)
– Cross-Site-Request-Forgery-Prevention not Working properly under heavy load (Bug 992111)
– Potential command execution vulnerability resolved (Bug 946043)
Tomcat
– Consume latest Tomcat: 8.0.37 (Bug 1002722)
– Tomcat 8.x vulnerable to CVE-2015-5351
– Nessus scan reports in SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) (Bug 963892) (CVE-2015-4000)
– Process runs from system account (Bug 992106)
OTHER
– Plugin Installation: .htaccess exists and is not restricted on the NAM admin console server (Bug 979235)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.1
June 2016
Tomcat 8.0.22
NICI: 3.0.1
JAVA: 1.8.0_77
FRAMEWORK
– Improvements made to only display available plugins that are compatible. (Bug 928695/973975)
– Enhancement: IDM support has been added. (Bug 970007)
– Safeguard iManager framework binaries during plugin uninstall process. (Bug 977353)
– iManager patch installer is not creating patch install logs. (Bug 906564)
TOMCAT
– Nessus scan reporting iManager is potentially vulnerable to Clickjacking. (OTG-CLIENT-009) (Bug 963890)
– iManager not listening after rebooting RHEL 7.2 server. (Bug 975678)
JAVA
– Updated to 1.8.0_77. (Bug 973128)
PLUGINS
– Cannot remove dash from phone number. (Bug 972633)
OTHER
– Installation is now prevented if a version of eDirectory lower than 9.0 is present. (Bug 976133)
– Admin Guide has been revised. (Bug 985323)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0 FCS
January 2016
Tomcat 8.0.22
NICI: 3.0
JAVA: 1.8.0_66
OpenLDAP: 2.1.25
FRAMEWORK
– Enhancement: Tomcat 8 support. (Bug 932438)
– Enhancement: Multi-tree support. (Bug 921490)
– Enhancement: TLS 1.2 support. (Bug 922920)
– Enhancement: Suite B support. (Bug 920352)
– Enhancement: UAP support added. (Bug 921046)
– Enhancement: iManager now supports EC certificates and enforces cipher options 128 and 192. (Bug 919946)
– Enhancement: iManager 3.0 now uses NICI 3.0. (Bug 958575)
– Ebaclientinit utility now bundled with iManager so the uap.p12 certificate can be downloaded. (Bug 920328/927784)
– Platforms tested: SLES12 SP1, SLES 11 SP4, SLED 12, OpenSUSE 13.2, Redhat 7.1 and 7.2. (Bug 914251/927929/949916/958468)
– Group plugin throws an error if there are unspecified addresses defined on the LDAP server object. (Bug 923881)
– Windows based iManager using IE 11 browser is not populating tree view objects. (Bug 881861)
– Objects not displaying in the right pane in view objects link. (Bug 902177)
– The platform.xml file is no longer used. (Bug 926495)
– Plugins updated to allow for nesting enhanced nested groups. (Bug 962772)
– Plugins that are not compatible with iManager 3.0 should not display as available. (Bug 928695)
TOMCAT
– Enhancement: standalone iManager now works with 64bit Java 1.8. (Bug 766367/953133)
INSTALL
– Suite B options added to silent install. (Bug 920829/932012)
______________________________________________________________________________________________________________________
Related:
Untitled
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.5
August 2021
Tomcat 9.0.50
Azul OpenJDK 1.8.0_292
Issues resolved in iManager 3.2.5
August 2021
Tomcat 9.0.50
Azul OpenJDK 1.8.0_292
– Remote code execution PSV (Bug 321412)
– Local privilege escalation (Bug 321413)
– Missing HTTP strict transport security (HSTS) (Bug 321414)
– Stack trace details exposed (Bug 321415)
– Command injection PSV (Bug 325081)
– Updated Azul JDK to 1.8.0_292 (Bug 329408/377011)
– Updated Tomcat to 9.0.50 (Bug 376034)
– XSS PSV (Bug 1172729)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.4.1
April 2021
OpenSSL 1.0.2y
This version of iManager contains NICI 3.2.0 which has a different FIPS 140-2 validated cryptography library with an active certificate.
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.4
February 2021
Azul OpenJDK 1.8.0_272
Tomcat 9.0.41
OpenSSL 1.0.2x
– Added support for RHEL 8.3 and 7.9
– Installing iManager in the Non-Default Location Fails on Windows (Bug 236787)
– Fails to Display Appropriate Error Message When Login Fails with a Zero Length Password (Bug 299099)
– Non-default location install fails on Windows (Bug 236787)
– Older version of pki plugin was getting installed when IDM and PKI plugin are installed together (Bug 236905)
– JVM crashes frequently due to XSS code (Bug 236983)
– Error: “CertInfo…………..-1 javax.naming.ldap.LdapName cannot be cast creating certificates (Bug 237877)
– Error: InfoFactory………484 For input string: “default” error message removed from catalina.out (Bug 237878)
– Tomcat8 was running as ‘Local System’ on Windows 2012 Server (Bug 237889)
– Error: (UniqueSPIException.java:103) seen in catalina.out (Bug 237945)
– Jquery PSV resolved (Bug 237965)
– Firefox 80.0.1 shows a greyed out [OK] button for plugin installation as well as for Modify Object operations (Bug 280078)
– Crash when a zero length password was used for login (Bug 299099)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.3
September 2020
Tomcat 9.0.37
September 2020
Tomcat 9.0.37
– PSV: Vulnerability in Tomcat 9.0.36 and earlier (259170/1172699) (CVE-2020-13934)
– Files and folders are not accessible through iManager workstation when NCP encryption is set to “enforce” (236401 – 1166763)
– Plugins: SecretStore plugin now available for iManager 3.x (236048 – 1160359)
– Localization fixes (237861 – 1131552)
– Docker: baseOS verion for iManager 323 container is changed into opensuse/leap:15.2 (238232)
– Revert OES fixes: bug 1103017 and bug 1166185 (264024)
– Files and folders are not accessible through iManager workstation when NCP encryption is set to “enforce” (236401 – 1166763)
– Plugins: SecretStore plugin now available for iManager 3.x (236048 – 1160359)
– Localization fixes (237861 – 1131552)
– Docker: baseOS verion for iManager 323 container is changed into opensuse/leap:15.2 (238232)
– Revert OES fixes: bug 1103017 and bug 1166185 (264024)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.2
May 2020
Tomcat 9.0.33
Zulu 8.46.0.19
CORE
– Correct error returned (-255) when enforcement of MFA is enabled (Bug 1163490)
– When adding plugins from local disk the connection is getting reset (Bug 1165890)
– Uploading a user’s jpg causing high util and never completes (Bug 1146727)
– Modifying an attribute using the Other tab causing JAVA high utilization (Bug 1154262)
– High utilization and delays when switching out of the Other tab (Bug 1160009)
– Start.sh script within the iManager container is running with high CPU utilization (Bug 1154422)
TOMCAT
– Potential Security vulnerability, AJP ports disabled (KB 7024475) (CVE-2019-17569) (Bug 1165858/1165323)
– Potential Security vulnerability, possible HTTP request smuggling (CVE-2020-1935) (Bug 1165860)
– Potential Security vulnerability,
OTHER
– After installing the PKI plugin cannot login to iManager: libssl.so.1.0.0-mf not found error (Bug 1164233)
– Documentation updated on which attributes to exclude to optimize auditing (Bug 1114712)
– Potential Security vulnerability fixed in Java (CVE-2020-2604) (Bug 1165863)
– Azul JDK updated to 1.8.0_252 (8u252) (Bug 1170054)
– Windows Install: Tomcat fails to start if instance resides on non-system disk (Bug 1102803)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.1.2
March 2020
Issues resolved in iManager 3.2.1.2
March 2020
– Disable AJP ports by default (CVE-2020-1938) (Bug 1165323)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.1.1
February 2020
OpenSSL 1.0.2t
Tomcat 9.0.30
NICI 3.1.0-2
Zulu 8.42.0.23
– New JDK to resolve a memory leak in crypto provider verification (Zulu-5050)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2.1
February 2020
OpenSSL 1.0.2t
Tomcat 9.0.30
NICI 3.1.0-2
Zulu 8.42.0.21
CORE
– Catalina.out file does not rotate on RHEL 7.X (Bug 1110755/1156965/)
TOMCAT
– Nessus reports CVE-2019-17563 (Bug 1161866)
– Do not print stack on an exception (Bug 1150296)
– Transport error setting UP – delete old iMKS trust store file on upgrade (Bug 1135218)
– Selecting EBA plugin in OES 2018 cores Tomcat (Bug 1114919)
OTHER
– Incorrect error thrown in ICE with wrong password (Bug 1156516)
– Collector: vendor field changed back to Novell (Bug 1108930)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.2
November 2019
TOMCAT
– XSS vulnerability in Tomcat bootstrap (Bug 1129742) (CVE-2019-8331)
– Tomcat service not restarting when using systemctl (Bug 1149042)
OTHER
– Enhancement: now certified on Red Hat 8 and SLES 15 SP1 (Bug 1149042)
– Selecting group from search results opens modify resource page instead of modify group (Bug 1128071)
– Install: message of installing Visual C++ suppressed during silent installation (Bug 1123849)
– Install: .p12 file’s ownership changed to novlwww for keystore file (Bug 969516)
– Various localization fixes (Bug 1076952/1077058/1077031/1082237/1076943)
– Collector: proper error handling when a user enters LDAP format in username field (Bug 1132253)
– Plugins: security vulnerability – disable stack trace in the response (Bug 1136482)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.4
May 2019
ENGINE
– OpenSSL updated to 1.0.2r (Bug 1128512) (CVE-2019-1559)
OTHER
– Tomcat: updated to version 8.5.40 (Bug 1125593)
– The “Success” message is not seen in several tasks using non-English (Bug 1103317)
– iManager Plugin Studio breaks special characters when using item order list (Bug 1108340)
– Internally found vulnerability in DFS plugin (Bug 1127718)
– Documentation changes to clarify managing Tomcat on init.d and systemd based OS’s (Bug 1132703)
– Dependancies on deprecated utilties removed (Bug 1128860)
– Updated Update AZUL JRE to 1.8.0_212
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.3
March 2019
Azul JRE 1.8.0_202
FRAMEWORK
– Tree view content goes into an infinite loop causing JAVA high CPU utilization (Bug 1105489)
– Unable to search for user with umlaut ö (Bug 1010785)
TOMCAT
– Email template functionality in IDM is now resolved (Bug 1099969)
– Tomcat failing to install on Red Hat 7.6 (Bug 11247191123841)
– Keystore change for JKS to PKCS12 (Bug 1124352/1124353/1124352)
OTHER
– Update Java to 1.8.0_202 (Bug 1125069)
___________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.2
November 2018
NICI – 3.1.0-1
Azul JRE 1.8.0_181
Jquery – 3.3.1
Jquery UI – 1.12.1
Bootstrap – 4.3.1
FRAMEWORK
– XSS vulnerabilities resolved (Bug 945869) (CVE-2018-17949)
OTHER
– Install now manages Tomcat service via “novell-tomcat8-service.service” on systemd.
– SDK updated (Bug 1085577)
– Workstation would repair Microsoft Visual C++ 2012 on every launch (Bug 1086570)
– Jquery, Jquery UI and Bootstrap updated to resolve security vulnerabilities (Bug 1096366)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.1.1
September 2018
Tomcat 8.5.32
Java 1.8.0_181
FRAMEWORK
– Tomcat updated to 8.5.32 (Bug 1103143) (CVE-2018-8037 CVE-2018-1336 CVE-2018-8034)
OTHER
– Update JRE version to 1.8.0_181 (Bug 1107600) (CVEs in Oracle July 2018 Update Advisory)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.1.1
June 2018
Tomcat 8.5.30
JRE 1.8.0_172
FRAMEWORK
– Security vulnerability: multiple XSS weaknesses resolved (Bug 1079563/1080897) (CVE-2018-12462)
– Correct querying of latest plugins against those available (Bug 1094292)
OTHER
– Enhancement: RHEL 7.5 now supported (Bug 1093801)
– Login failure events look the same as those that complete (Bug 1080091)
– Installation returns fatal error due to version mismatch on libstdc++ (Bug 1088289)
– Windows installation not installing NICI if VC++ is already on server (Bug 1094012)
– A reinstall returns the SSL port selected is not valid or in use (Bug 1092676)
– Maxiumum version used to prevent duplicate plugins from being shown (Bug 1092674)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.1
March 2018
Tomcat 8.5.27
JRE 1.8.0_162
FRAMEWORK
– Potential XSS vulnerability closed (Bug 1063334) (CVE-2018-1347)
– 625 error when browsing a NSS directory on a cluster volume in iManager (Bug 1010818)
PLUGINS
– Secure transfer for plugin downloads (Bug 149319/1056490/1056487)
– Error -601 when setting the simple password for a user object having il8n characters in its name (Bug 1039287)
– Partition mgt: unable to add R/W replica when using a different locale (Bug 1003550)
OTHER
– Upgrades: NAudit and XDAS configuration file is getting reset (Bug 1010379)
– HSTS filter has been added in iManager web.xml file to enable Strict-Transport-Security (Bug 1045513) (CVE-2018-1344)
– Localization Fixes (930696/957746/930662/956947/960824/957256/957747/960797/960821/960822/960822/960823/960825/1079576)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.4
September 2017
Tomcat 8.0.45
JVM 1.8.0_144
NICI 3.0.3
FRAMEWORK
– Enhancement: RHEL 7.4 platform added (Bug 1058665)
– Enhancement: Windows 2016 support added (Bug 1025843)
– Timezone attribute is not interpreted correctly (Bug 1028890)
– Warning message overlapping with the driver name in the Driver Cache Inspector page (Bug 880032)
– “Cannot add empty strings” message when canceling changes (Bug 1034833)
– “Illegal character range near index 110” seen in driver’s status log (Bug 1038076)
– After selecting more than 100-300 objects no task is presented when clicking the button (Bug 1049152)
– Pop is thrown ‘value entered must be between 1 and 365’ after selecting another tab modifying user (Bug 1050586)
– Server redirection not working correctly when downloading plugins (Bug 1050868)
– Cannot uninstall plugins if both iManager Workstation 3.x and 2.77.x are installed on the same workstation (Bug 1053408)
– Object selector not honoring results per page setting (Bug 1042139)
– XSS attack hole closed (Bug 1052480) (CVE-2017-9276: internally found)
OTHER
– Audit: iManager is failing to Connect to Sentinel when Audit Connector is in STRICT mode (Bug 1022794)
– Upgrades left behind old iManager and plugin-base npms (Bug 870414)
– Some plugins could not be uninstalled (Bug 1037836)
– Tomcat updated (Bug 1048460)
– Java update (Bug 1049613)
– NICI updated (Bug 1052693)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.3.2 (303 Patch 2)
July 2017
Tomcat 8.0.44
JVM 1.8.0_131
FRAMEWORK
– Reflected XSS vulnerabilities (Bug 1038679) (CVE-2017-7425)
– Views: unable to add an IP address restriction to a user object (Bug 1030616)
TOMCAT
– Update Tomcat to 8.0.44 (Bug 1046831) (CVE-2017-5664,CVE-2017-5648,CVE-2017-5647,CVE-2016-8735,CVE-2016-6816)
JVM
– Updated to 1.8.0_131 (Bug 1045911)
____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.3.1 (303 Patch 1)
May 2017
– Potential webshell upload vulnerability (Bug 1027619) (CVE-2017-7432)
– Framework: persistent XSS vulnerability (Bug 1030691) (CVE-2017-7430)
– Object Mgt: vulnerable to persistent XSRF (Bug 1030692) (CVE-2017-7431)
– Tomcat: issue identified in the renegotiation of connection parameters (Bug 1029431) (CVE-2017-7428)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.3
April 2017
NICI: 3.0.2
Tomcat: 8.0.37-1
Java: 1.8.0_112-1
FRAMEWORK
– iManager server cannot connect to Sentinel using the embedded private key. (Bug 1021637) (CVE-2017-5189)
– View objects, search, object, click on object and the Modify Object operation is not seen.. (Bug 1026609)
– Red Hat 7.3 now supported. (Bug 1027056)
Tomcat
– Time delay different between an invalid user and password. (Bug 1017876)
– iManager install log now masks jre default keystore password. (Bug 1023991)
– Nessscan reports in SSL 64-bit Block Size Cipher Suites Supported (SWEET32) in iManager 3.0.2. (Bug 1010732)
OTHER
– iManager updates overwritting the config.xml file. (Bug 1010839)
– Plugin installation: cannot uninstall the password management plugins. (Bug 1020092)
– Cannot install IDM 4.6 plugins on an upgraded iManager setup. (Bug 1022565)
– Configure: upgrade is not preserving configuration leading to Jcache not starting. (Bug 1024529)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.2.1
February 2017
OTHER
– JCE unlimited cipher option jar no longer installed by default for ECDSA384 certificates. (Bug 1023402/1023024)
For more informaton: https://www.netiq.com/documentation/imanager-3/imanager_admin/data/b8qrh89.html#btubnyq
NAUDITXDAS
– iManager failing to connect Sentinel 7.4.2 and above version (Bug 1019789) (CVE-2017-5186)
– iManager is failing to Connect to Sentinel when Audit Connector is in Strict mode (Bug 1024955)
Auditing collectors, platform agents, instrumentation, etc. have been modified to use eDirectory certificates in order to connect to Sentinel servers versioned 7.4.2 and above. The previously used embedded certificate can no longer be used with Java 1.8. This certificate issue has required the modification of the following components. The updated files can be found on the respective product’s patch page.
1019041/987162 – eDir
1021637/1019789 – iMgr
999186/1019573 – PA
10195431011208 – IDM
1021391 – RBPM
1013758 – Naudit connector
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.2
November 2016
Tomcat: 8.0.37
Java: 1.8.0_102
PA: PA 2011.1r4 2.0.2-79
FRAMEWORK
– Added support for SLES12 SP2 (Bug 994329)
– Added support for RH 6.8 (Bug 991880)
– Consume Tomcat: 8.0.37 (Bug 997226/1004423)
– Warning message ‘Profile Missing’ pseen when launching iManager Windows Workstation (Bug 939510)
– iManager no longer installs 32-bit NICI packages (Bug 944512)
– Multiple NICI install issues resolved (Bug 966589/994068/994037)
– Getting “Error-634” error message when clicking on “Connections” tab under LDAP options (Bug 966672)
– Consume latest Java: 1.8.0_102 (Bug 995946/1006942)
– iManager displays secondary loopback address on completion (Bug 999237)
– Applying patch 4 to iManager 277 removes groups from novlwww user (Bug 1002179)
– Consume latest PA: 2011.1r4 2.0.2-79 (Bug 1005510)
– iManager uninstall does not cleanly uninstall its components (Bug 984889/986022/1002720)
– Need to mask IDP server backtrace when exceptions occur (Bug 992108)
– Some functions prone to Reflected Cross-Site Scripting attacks (Bug 992110)
– Cross-Site-Request-Forgery-Prevention not Working properly under heavy load (Bug 992111)
– Potential command execution vulnerability resolved (Bug 946043)
Tomcat
– Consume latest Tomcat: 8.0.37 (Bug 1002722)
– Tomcat 8.x vulnerable to CVE-2015-5351
– Nessus scan reports in SSL/TLS Diffie-Hellman Modulus <= 1024 Bits (Logjam) (Bug 963892) (CVE-2015-4000)
– Process runs from system account (Bug 992106)
OTHER
– Plugin Installation: .htaccess exists and is not restricted on the NAM admin console server (Bug 979235)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0.1
June 2016
Tomcat 8.0.22
NICI: 3.0.1
JAVA: 1.8.0_77
FRAMEWORK
– Improvements made to only display available plugins that are compatible. (Bug 928695/973975)
– Enhancement: IDM support has been added. (Bug 970007)
– Safeguard iManager framework binaries during plugin uninstall process. (Bug 977353)
– iManager patch installer is not creating patch install logs. (Bug 906564)
TOMCAT
– Nessus scan reporting iManager is potentially vulnerable to Clickjacking. (OTG-CLIENT-009) (Bug 963890)
– iManager not listening after rebooting RHEL 7.2 server. (Bug 975678)
JAVA
– Updated to 1.8.0_77. (Bug 973128)
PLUGINS
– Cannot remove dash from phone number. (Bug 972633)
OTHER
– Installation is now prevented if a version of eDirectory lower than 9.0 is present. (Bug 976133)
– Admin Guide has been revised. (Bug 985323)
_____________________________________________________________________________________________________________________
Issues resolved in iManager 3.0 FCS
January 2016
Tomcat 8.0.22
NICI: 3.0
JAVA: 1.8.0_66
OpenLDAP: 2.1.25
FRAMEWORK
– Enhancement: Tomcat 8 support. (Bug 932438)
– Enhancement: Multi-tree support. (Bug 921490)
– Enhancement: TLS 1.2 support. (Bug 922920)
– Enhancement: Suite B support. (Bug 920352)
– Enhancement: UAP support added. (Bug 921046)
– Enhancement: iManager now supports EC certificates and enforces cipher options 128 and 192. (Bug 919946)
– Enhancement: iManager 3.0 now uses NICI 3.0. (Bug 958575)
– Ebaclientinit utility now bundled with iManager so the uap.p12 certificate can be downloaded. (Bug 920328/927784)
– Platforms tested: SLES12 SP1, SLES 11 SP4, SLED 12, OpenSUSE 13.2, Redhat 7.1 and 7.2. (Bug 914251/927929/949916/958468)
– Group plugin throws an error if there are unspecified addresses defined on the LDAP server object. (Bug 923881)
– Windows based iManager using IE 11 browser is not populating tree view objects. (Bug 881861)
– Objects not displaying in the right pane in view objects link. (Bug 902177)
– The platform.xml file is no longer used. (Bug 926495)
– Plugins updated to allow for nesting enhanced nested groups. (Bug 962772)
– Plugins that are not compatible with iManager 3.0 should not display as available. (Bug 928695)
TOMCAT
– Enhancement: standalone iManager now works with 64bit Java 1.8. (Bug 766367/953133)
INSTALL
– Suite B options added to silent install. (Bug 920829/932012)
______________________________________________________________________________________________________________________
Related:
Open source web app projects hailed for quickly patching bugs
The nine total bugs range from cross-site scripting and denial of service to SQL injection and authentication bypass. The bulk of the bugs were found …
Related:
Privilege escalation sql injection
privilege escalation sql injection, May 20, 2020 · Last November, Reno Robert (@renorobertr) reported multiple bugs in Parallels to the ZDI, one of …
Related:
Blind SQL Injection – Information Security Stack Exchange
web-application sql-injection bug-bounty. I am a newbie in bug bounty and I am participating in a program that when I write in the url paramete ‘ or 1=1 …
Related:
Blind SQL Injection – Information Security Stack Exchange
web-application sql-injection bug-bounty. I am a newbie in bug bounty and I am participating in a program that when I write in the url paramete ‘ or 1=1 …
Related:
Findbugs not finding potential SQL injection vulnerability
CRLF_INJECTION_LOGS fix. Bug Patterns, Once, you have configured LogBack, you need to disable the rule “CRLF_INJECTION_LOGS”.