CVE-2017-5189 - OpenCVE

NetIQ iManager before 3.0.3 delivered a SSL private key in a Java application (JAR file) for authentication to Sentinel, allowing attackers to extract and establish their own connections to the Sentinel appliance.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Netiq	Imanager

Configuration 1 [-]

OR	cpe:2.3:a:netiq:imanager:2.7:::::::*
	cpe:2.3:a:netiq:imanager:2.7.1:::::::*
	cpe:2.3:a:netiq:imanager:2.7.2:::::::*
	cpe:2.3:a:netiq:imanager:2.7.3:::::::*
	cpe:2.3:a:netiq:imanager:2.7.4:::::::*
	cpe:2.3:a:netiq:imanager:2.7.5:::::::*
	cpe:2.3:a:netiq:imanager:2.7.6:::::::*
	cpe:2.3:a:netiq:imanager:2.7.7:p10::::::
	cpe:2.3:a:netiq:imanager:2.7.7:p11::::::
	cpe:2.3:a:netiq:imanager:2.7.7:p4::::::
	cpe:2.3:a:netiq:imanager:2.7.7:p5::::::
	cpe:2.3:a:netiq:imanager:2.7.7:p6::::::
	cpe:2.3:a:netiq:imanager:2.7.7:p7::::::
	cpe:2.3:a:netiq:imanager:2.7.7:p8::::::
	cpe:2.3:a:netiq:imanager:2.7.7:p9::::::
	cpe:2.3:a:netiq:imanager:2.7.7.10:hf1::::::
	cpe:2.3:a:netiq:imanager:2.7.7.10:hf2::::::
	cpe:2.3:a:netiq:imanager:3.0:::::::*
	cpe:2.3:a:netiq:imanager:3.0:sp1::::::
	cpe:2.3:a:netiq:imanager:3.0:sp2::::::
	cpe:2.3:a:netiq:imanager:3.0:sp3::::::
	cpe:2.3:a:netiq:imanager:3.0:sp4::::::
	cpe:2.3:a:netiq:imanager:3.0.2:p1::::::
	cpe:2.3:a:netiq:imanager:3.0.3:::::::*

References

Link	Resource
https://bugzilla.suse.com/show_bug.cgi?id=1021637
https://www.netiq.com/support/kb/doc.php?id=7016795

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: microfocus

Published: 2017-04-01T00:00:00

Updated: 2021-01-06T16:15:44

Reserved: 2017-01-06T00:00:00

Link: CVE-2017-5189

JSON object: View

NVD Information

Status : Modified

Published: 2018-03-02T20:29:00.380

Modified: 2023-11-07T02:49:21.840

Link: CVE-2017-5189

JSON object: View

Redhat Information

No data.

CWE

{"containers": {"cna": {"affected": [{"product": "iManager", "vendor": "NetIQ", "versions": [{"lessThan": "3.0.3", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "datePublic": "2017-04-01T00:00:00", "descriptions": [{"lang": "en", "value": "NetIQ iManager before 3.0.3 delivered a SSL private key in a Java application (JAR file) for authentication to Sentinel, allowing attackers to extract and establish their own connections to the Sentinel appliance."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"description": "Exposure of secret credentials in user exposed data", "lang": "en", "type": "text"}]}, {"descriptions": [{"cweId": "CWE-522", "description": "CWE-522", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-01-06T16:15:44", "orgId": "f81092c5-7f14-476d-80dc-24857f90be84", "shortName": "microfocus"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.suse.com/show_bug.cgi?id=1021637"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.netiq.com/support/kb/doc.php?id=7016795"}], "source": {"defect": ["1021637"], "discovery": "UNKNOWN"}, "title": "private SSL key embedded in JAR file in iManager", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@microfocus.com", "DATE_PUBLIC": "2017-04-01T00:00:00.000Z", "ID": "CVE-2017-5189", "STATE": "PUBLIC", "TITLE": "private SSL key embedded in JAR file in iManager"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "iManager", "version": {"version_data": [{"affected": "<", "version_affected": "<", "version_value": "3.0.3"}]}}]}, "vendor_name": "NetIQ"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "NetIQ iManager before 3.0.3 delivered a SSL private key in a Java application (JAR file) for authentication to Sentinel, allowing attackers to extract and establish their own connections to the Sentinel appliance."}]}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Exposure of secret credentials in user exposed data"}]}, {"description": [{"lang": "eng", "value": "CWE-522"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.suse.com/show_bug.cgi?id=1021637", "refsource": "CONFIRM", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1021637"}, {"name": "https://www.netiq.com/support/kb/doc.php?id=7016795", "refsource": "CONFIRM", "url": "https://www.netiq.com/support/kb/doc.php?id=7016795"}]}, "source": {"defect": ["1021637"], "discovery": "UNKNOWN"}}}}, "cveMetadata": {"assignerOrgId": "f81092c5-7f14-476d-80dc-24857f90be84", "assignerShortName": "microfocus", "cveId": "CVE-2017-5189", "datePublished": "2017-04-01T00:00:00", "dateReserved": "2017-01-06T00:00:00", "dateUpdated": "2021-01-06T16:15:44", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netiq:imanager:2.7:*:*:*:*:*:*:*", "matchCriteriaId": "9044A0FA-BD4E-4041-B16A-0C70551C65F7", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.1:*:*:*:*:*:*:*", "matchCriteriaId": "94134CE0-B4A4-477B-99E7-87F34B0F2CED", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.2:*:*:*:*:*:*:*", "matchCriteriaId": "4DB1AB4D-3906-4EDA-A514-FAE007A27095", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.3:*:*:*:*:*:*:*", "matchCriteriaId": "EC9CA1AA-A933-4BB6-81F1-B803A2D12FB2", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.4:*:*:*:*:*:*:*", "matchCriteriaId": "56B58611-550D-408E-8104-71ACD4A19FAA", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.5:*:*:*:*:*:*:*", "matchCriteriaId": "1842E298-D918-433F-9681-DF4AF9849029", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.6:*:*:*:*:*:*:*", "matchCriteriaId": "C93EB7FE-4A3A-4273-B5B5-CF6473C4D1F4", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.7:p10:*:*:*:*:*:*", "matchCriteriaId": "46A640AB-5C61-4801-9EB3-DA4FD6C43FE5", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.7:p11:*:*:*:*:*:*", "matchCriteriaId": "9B6B6F6C-1CD2-4823-A224-DDFAC5FD7C6A", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.7:p4:*:*:*:*:*:*", "matchCriteriaId": "52355F37-8540-4868-A565-E2109DA7ABA8", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.7:p5:*:*:*:*:*:*", "matchCriteriaId": "C9B213A2-2BED-4D5F-86AA-E4FE29352E8A", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.7:p6:*:*:*:*:*:*", "matchCriteriaId": "B2413E8E-7B96-434D-BF9B-3C769F931157", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.7:p7:*:*:*:*:*:*", "matchCriteriaId": "A70BA4BB-6398-46C5-9E16-4536AAD30011", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.7:p8:*:*:*:*:*:*", "matchCriteriaId": "6644CB8E-DC8E-46F4-8EFF-CEF34EC40116", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.7:p9:*:*:*:*:*:*", "matchCriteriaId": "088DA16B-2DCA-4EA5-86BC-93796D9F0E73", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.7.10:hf1:*:*:*:*:*:*", "matchCriteriaId": "7447ECD4-EA24-45F9-BF0D-971D074EAB4D", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:2.7.7.10:hf2:*:*:*:*:*:*", "matchCriteriaId": "91F3BCB4-6160-48DA-8CFA-88BD1FED1C84", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "5D3D7F7B-CF13-4729-BDC8-FA7C25EB0856", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:3.0:sp1:*:*:*:*:*:*", "matchCriteriaId": "0A8EC935-B012-4F5C-AF33-3438EEA18BD0", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:3.0:sp2:*:*:*:*:*:*", "matchCriteriaId": "D3A86186-B039-4F7F-BE13-A5C2987C63B6", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:3.0:sp3:*:*:*:*:*:*", "matchCriteriaId": "F0C76139-7684-4E41-B8BC-5D9DC6B47ABA", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:3.0:sp4:*:*:*:*:*:*", "matchCriteriaId": "D9AF38F2-611C-4557-8CB8-FEA46F84A779", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:3.0.2:p1:*:*:*:*:*:*", "matchCriteriaId": "F68364C6-7A48-49E7-BC89-6DF5181EEF2D", "vulnerable": true}, {"criteria": "cpe:2.3:a:netiq:imanager:3.0.3:*:*:*:*:*:*:*", "matchCriteriaId": "2482872E-C1FE-4E4E-833A-A426CC4E1230", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "NetIQ iManager before 3.0.3 delivered a SSL private key in a Java application (JAR file) for authentication to Sentinel, allowing attackers to extract and establish their own connections to the Sentinel appliance."}, {"lang": "es", "value": "NetIQ iManager, en versiones anteriores a la 3.0.3, entregaba una clave privada SSL en una aplicaci\u00f3n Java (archivo JAR) para autenticaci\u00f3n en Sentinel, lo que permite que atacantes remotos extraigan y establezcan sus propias conexiones en la aplicaci\u00f3n de Sentinel."}], "id": "CVE-2017-5189", "lastModified": "2023-11-07T02:49:21.840", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@opentext.com", "type": "Secondary"}]}, "published": "2018-03-02T20:29:00.380", "references": [{"source": "security@opentext.com", "url": "https://bugzilla.suse.com/show_bug.cgi?id=1021637"}, {"source": "security@opentext.com", "url": "https://www.netiq.com/support/kb/doc.php?id=7016795"}], "sourceIdentifier": "security@opentext.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "security@opentext.com", "type": "Secondary"}]}