Novell NetIQ Sentinel CVE-2016-1000031 Remote Code Execution Vulnerability

Description

Novell NetIQ Sentinel is prone to a security vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application. Novell NetIQ Sentinel version 7.4x are vulnerable.

Technologies Affected

• Apache Commons FileUpload 1.0
• Apache Commons FileUpload 1.1
• Apache Commons FileUpload 1.1.1
• Apache Commons FileUpload 1.2
• Apache Commons FileUpload 1.2.1
• Apache Commons FileUpload 1.2.2
• Apache Commons FileUpload 1.3
• Apache Commons FileUpload 1.3.1
• Apache Commons FileUpload 1.3.2
• Apache Struts 1.1
• Apache Struts 1.2.6
• Apache Struts 1.2.7
• Apache Struts 1.2.8
• Apache Struts 1.2.9
• Apache Struts 1.3.5
• Apache Struts 1.3.8
• Apache Struts 2
• Apache Struts 2.0.0
• Apache Struts 2.0.1
• Apache Struts 2.0.10
• Apache Struts 2.0.11 .2
• Apache Struts 2.0.11
• Apache Struts 2.0.11.1
• Apache Struts 2.0.12
• Apache Struts 2.0.13
• Apache Struts 2.0.14
• Apache Struts 2.0.2
• Apache Struts 2.0.3
• Apache Struts 2.0.4
• Apache Struts 2.0.5
• Apache Struts 2.0.6
• Apache Struts 2.0.7
• Apache Struts 2.0.8
• Apache Struts 2.0.9
• Apache Struts 2.1.0
• Apache Struts 2.1.1
• Apache Struts 2.1.2
• Apache Struts 2.1.3
• Apache Struts 2.1.4
• Apache Struts 2.1.5
• Apache Struts 2.1.6
• Apache Struts 2.1.8
• Apache Struts 2.1.8.1
• Apache Struts 2.2.1
• Apache Struts 2.2.1.1
• Apache Struts 2.2.3
• Apache Struts 2.2.3.1
• Apache Struts 2.3.1
• Apache Struts 2.3.1.1
• Apache Struts 2.3.1.2
• Apache Struts 2.3.12
• Apache Struts 2.3.14
• Apache Struts 2.3.14.1
• Apache Struts 2.3.14.2
• Apache Struts 2.3.14.3
• Apache Struts 2.3.15
• Apache Struts 2.3.15.1
• Apache Struts 2.3.15.2
• Apache Struts 2.3.15.3
• Apache Struts 2.3.16
• Apache Struts 2.3.16.1
• Apache Struts 2.3.16.2
• Apache Struts 2.3.16.3
• Apache Struts 2.3.20
• Apache Struts 2.3.20.1
• Apache Struts 2.3.20.2
• Apache Struts 2.3.20.3
• Apache Struts 2.3.24
• Apache Struts 2.3.24.1
• Apache Struts 2.3.24.2
• Apache Struts 2.3.24.3
• Apache Struts 2.3.28
• Apache Struts 2.3.28.1
• Apache Struts 2.3.29
• Apache Struts 2.3.3
• Apache Struts 2.3.30
• Apache Struts 2.3.31
• Apache Struts 2.3.32
• Apache Struts 2.3.33
• Apache Struts 2.3.34
• Apache Struts 2.3.35
• IBM Tivoli Application Dependency Discovery Manager 7.2.2.5
• IBM Tivoli Application Dependency Discovery Manager 7.3.0.3
• Novell NetIQ Sentinel 7.4.0
• Novell NetIQ Sentinel 7.4.1
• Novell NetIQ Sentinel 7.4.2
• Oracle API Gateway 11.1.2.4.0
• Oracle Agile Engineering Data Management 6.2.0
• Oracle Agile Engineering Data Management 6.2.1
• Oracle Agile PLM 9.3.3
• Oracle Agile PLM 9.3.4
• Oracle Agile PLM 9.3.5
• Oracle Agile Recipe Management for Pharmaceuticals 9.3.3
• Oracle Agile Recipe Management for Pharmaceuticals 9.3.4
• Oracle Application Testing Suite 13.1
• Oracle Application Testing Suite 13.2
• Oracle Application Testing Suite 13.3
• Oracle Banking Platform 2.4.0
• Oracle Banking Platform 2.4.1
• Oracle Banking Platform 2.5.0
• Oracle Banking Platform 2.6.0
• Oracle Communications Application Session Controller 3.7.1
• Oracle Communications Application Session Controller 3.8.0
• Oracle Communications Convergence 3.0.2
• Oracle Communications Diameter Signaling Router 3.0
• Oracle Communications Diameter Signaling Router 4.0
• Oracle Communications Diameter Signaling Router 4.1.0
• Oracle Communications Diameter Signaling Router 4.1.6
• Oracle Communications Diameter Signaling Router 5.0
• Oracle Communications Diameter Signaling Router 5.1.0
• Oracle Communications Diameter Signaling Router 6.0.0
• Oracle Communications Diameter Signaling Router 6.0.2
• Oracle Communications Diameter Signaling Router 7.0
• Oracle Communications Diameter Signaling Router 7.1.0
• Oracle Communications Diameter Signaling Router 8.0
• Oracle Communications Online Mediation Controller 6.1
• Oracle Communications Service Broker 6.0
• Oracle Communications Service Broker Engineered System Edition 6.0
• Oracle Communications Services Gatekeeper 5.1
• Oracle Communications Services Gatekeeper 6.0
• Oracle Communications Unified 8.0.0.2.0
• Oracle Endeca Information Discovery Integrator 3.2.0
• Oracle Enterprise Manager Ops Center 12.3.3
• Oracle FLEXCUBE Core Banking 11.6.0
• Oracle FLEXCUBE Core Banking 11.7.0
• Oracle FLEXCUBE Core Banking 11.8.0
• Oracle FLEXCUBE Core Banking 5.2.0
• Oracle FLEXCUBE Enterprise Limits and Collateral Management 12.0.0
• Oracle FLEXCUBE Enterprise Limits and Collateral Management 12.0.1
• Oracle FLEXCUBE Enterprise Limits and Collateral Management 12.0.2
• Oracle FLEXCUBE Enterprise Limits and Collateral Management 12.1
• Oracle FLEXCUBE Private Banking 12.0.1.0
• Oracle FLEXCUBE Private Banking 12.0.3.0
• Oracle FLEXCUBE Private Banking 12.1.0.0
• Oracle FLEXCUBE Private Banking 2.0.0.0
• Oracle FLEXCUBE Private Banking 2.2.0.1
• Oracle FLEXCUBE Universal Banking 12.0.1
• Oracle FLEXCUBE Universal Banking 12.0.2
• Oracle FLEXCUBE Universal Banking 12.0.3
• Oracle FLEXCUBE Universal Banking 12.1.0
• Oracle Financial Services Analytical Applications Infrastructure 7.3.3
• Oracle Financial Services Analytical Applications Infrastructure 7.3.5
• Oracle Financial Services Analytical Applications Infrastructure 8.0.1
• Oracle Financial Services Analytical Applications Infrastructure 8.0.2
• Oracle Financial Services Analytical Applications Infrastructure 8.0.3
• Oracle Financial Services Analytical Applications Infrastructure 8.0.4
• Oracle Financial Services Analytical Applications Infrastructure 8.0.5
• Oracle Financial Services Analytical Applications Infrastructure 8.0.6
• Oracle Financial Services Analytical Applications Infrastructure 8.0.7
• Oracle Fusion Middleware MapViewer 12.2.1.3.0
• Oracle Healthcare Master Person Index 3.0
• Oracle Healthcare Master Person Index 4.0
• Oracle Hospitality Guest Access 4.2.0
• Oracle Hospitality Guest Access 4.2.1
• Oracle Identity Analytics 11.1.1.5.8
• Oracle Insurance Calculation Engine 10.0
• Oracle Insurance Calculation Engine 10.1
• Oracle Insurance Calculation Engine 10.2
• Oracle Insurance Calculation Engine 9.7
• Oracle Insurance Policy Administration J2EE 10.0
• Oracle Insurance Policy Administration J2EE 10.1
• Oracle Insurance Policy Administration J2EE 10.2
• Oracle Insurance Policy Administration J2EE 11.0
• Oracle Insurance Rules Palette 10.0
• Oracle Insurance Rules Palette 10.1
• Oracle Insurance Rules Palette 10.2
• Oracle Insurance Rules Palette 11.0
• Oracle Knowledge 8.5.1
• Oracle Knowledge 8.5.1.7
• Oracle Knowledge 8.6.0
• Oracle Knowledge 8.6.1
• Oracle MICROS Relate CRM 10.8
• Oracle MICROS Relate CRM 11.4
• Oracle MICROS Retail XBRi Loss Prevention 10.8.0
• Oracle MICROS Retail XBRi Loss Prevention 10.8.1
• Oracle MICROS Retail XBRi Loss Prevention 10.8.3
• Oracle Primavera P6 Enterprise Project Portfolio Management 15.1
• Oracle Primavera P6 Enterprise Project Portfolio Management 15.2
• Oracle Primavera P6 Enterprise Project Portfolio Management 16.1
• Oracle Primavera P6 Enterprise Project Portfolio Management 16.2
• Oracle Primavera P6 Enterprise Project Portfolio Management 17.12
• Oracle Primavera P6 Enterprise Project Portfolio Management 17.7
• Oracle Primavera P6 Enterprise Project Portfolio Management 18.8
• Oracle Primavera P6 Enterprise Project Portfolio Management 8.4
• Oracle Primavera Unifier 16.1
• Oracle Primavera Unifier 16.2
• Oracle Primavera Unifier 17.12
• Oracle Primavera Unifier 17.7
• Oracle Primavera Unifier 18.8
• Oracle Retail Back Office 13.3
• Oracle Retail Back Office 13.4
• Oracle Retail Back Office 14.0
• Oracle Retail Back Office 14.1
• Oracle Retail Central Office 13.3
• Oracle Retail Central Office 13.4
• Oracle Retail Central Office 14.0
• Oracle Retail Central Office 14.1
• Oracle Retail Customer Management and Segmentation Foundation 16.0.0
• Oracle Retail Customer Management and Segmentation Foundation 17.0.0
• Oracle Retail Integration Bus 15.0
• Oracle Retail Integration Bus 16.0
• Oracle Retail Order Broker 15.0
• Oracle Retail Order Broker 16.0
• Oracle Retail Order Broker 5.1
• Oracle Retail Order Broker 5.2
• Oracle Retail Returns Management 13.3
• Oracle Retail Returns Management 13.4
• Oracle Retail Returns Management 14.0
• Oracle Retail Returns Management 14.1
• Oracle Retail Service Backbone 13.1
• Oracle Retail Service Backbone 13.2
• Oracle Retail Service Backbone 14.0
• Oracle Retail Service Backbone 14.1
• Oracle Retail Service Backbone 15.0
• Oracle Retail Service Backbone 16.0
• Oracle Retail Xstore Point of Service 7.0
• Oracle Retail Xstore Point of Service 7.1
• Oracle Tape Library ACSLS 8.5
• Oracle Utilities Framework 2.2.0
• Oracle Utilities Framework 4.2.0.2.0
• Oracle Utilities Framework 4.3.0.2.0
• Oracle Utilities Framework 4.3.0.3.0
• Oracle Utilities Framework 4.3.0.4
• Oracle Utilities Framework 4.3.0.5.0
• Oracle Utilities Framework 4.3.0.6.0
• Oracle Utilities Framework 4.4.0.0.0
• Oracle Utilities Work and Asset Management 1.9.1.2
• Oracle WebCenter Portal 12.2.1.3.0
• Oracle WebCenter Sites 12.2.1.3.0

Recommendations

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic

Do not accept or execute files from untrusted or unknown sources.
To reduce the likelihood of successful exploits, do not open files that originate from untrusted sources.

Implement multiple redundant layers of security.
Various memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker’s ability to exploit this vulnerability to execute arbitrary code.

Run all software as a nonprivileged user with minimal access rights.
To limit the impact of latent vulnerabilities, configure database servers and other applications to run as a nonadministrative user with minimal access rights.

Updates are available. Please see the references or vendor advisory for more information.