=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN030
_____________________________________________________________________

DATE                      : 14/01/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Novell ZENworks Asset Management
                             version 7.5.

======================================================================
http://www.novell.com/support/viewContent.do?externalId=7005128
______________________________________________________________________

ZAM 7.5 SQLinfection Vulnerability

This document (7005128) is provided subject to the disclaimer at the end
of this document.

Environment

Novell ZENworks 7.5 Asset Management - ZAM7.5

Situation

A vulnerability has been reported which allows remote attackers to execute
arbitrary code on vulnerable installations of Novell ZAM7.5
A carefully crafted parameter can result in direct SQL access to the underlying
SQL Server database which can be further leveraged by an attacker to potentially
execute arbitrary code.


Resolution

Fixed in ZENworks Asset Management 7.5 Interim Release IR19 or newer

Interim Releases can be scheduled to run automatically or can be downloaded
manually at http://download.novell.com. The Interim releases can be set up
within the ZAM Manager for the Task server to check the site on a scheduled
basis, and download and apply them automatically. Please refer to the Help Section
details of how to set up automatic downloads if desired.

Each interim release is cumulative. If Interim Release IR19 is not available
due to a newer interim release being placed on the website, be assured that
the code needed is in the later release.


Status

Security Alert


Additional Information
Information reported by Tippingpoint ZDI-CAN-457
This vulnerability was discovered by:  Anonymous
Document
Document ID:	7005128
Creation Date:	01-12-2010
Modified Date:	01-12-2010
Novell Product:	ZENworks Asset Management


Disclaimer

The Origin of this information may be internal or external to Novell.
Novell makes all reasonable efforts to verify this information. However,
the information provided in this document is for your information only.
Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their
respective owners. Consult your product manuals for complete trademark information.

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================