Multiple vulnerabilities in NetIQ Identity Manager

Published: 2017-02-27 | Updated: 2023-01-12

Risk	Medium
Patch available	YES
Number of vulnerabilities	2
CVE-ID	CVE-2016-1603 CVE-2016-1600 CVE-2017-7434
CWE-ID	CWE-200 CWE-532
Exploitation vector	Network
Public exploit	N/A
Vulnerable software Subscribe	NetIQ Identity Manager Server applications / Directory software, identity management
Vendor

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Information disclosure

EUVDB-ID: #VU71126

Risk: Medium

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-1603,CVE-2016-1600

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the ServiceNow driver. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

NetIQ Identity Manager: before 4.6

External links

http://www.netiq.com/documentation/identity-manager-46/releasenotes_idm46/data/releasenotes_idm46.html#t433o7au0niu

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Inclusion of Sensitive Information in Log Files

EUVDB-ID: #VU71128

Risk: Low

CVSSv3.1: 4.8 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-7434

CWE-ID: CWE-532 - Information Exposure Through Log Files