CVE-2021-22528
📋 TL;DR
This vulnerability allows attackers to execute malicious JavaScript in users' browsers through NetIQ Access Manager web interfaces. It affects organizations using NetIQ Access Manager versions before 5.0.1 and 4.5.4. Attackers can craft malicious URLs that, when visited by authenticated users, execute arbitrary scripts in the context of the Access Manager application.
💻 Affected Systems
- NetIQ Access Manager
📦 What is this software?
Access Manager by Microfocus
Access Manager by Microfocus
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal session cookies, perform actions as authenticated users, redirect to malicious sites, or compromise administrator accounts leading to full system takeover.
Likely Case
Attackers steal user session tokens to impersonate legitimate users, potentially accessing sensitive applications protected by Access Manager.
If Mitigated
With proper input validation and output encoding, malicious scripts are neutralized before reaching user browsers, preventing execution.
🎯 Exploit Status
Reflected XSS typically requires social engineering to trick users into clicking malicious links. No authentication bypass required once user is logged in.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.1 or 4.5.4
Vendor Advisory: https://support.microfocus.com/kb/doc.php?id=7025259
Restart Required: Yes
Instructions:
1. Download and install NetIQ Access Manager 5.0.1 or 4.5.4 from Micro Focus support portal. 2. Apply the patch following vendor documentation. 3. Restart all Access Manager services. 4. Verify the update was successful.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall rules or input validation to block malicious script patterns
WAF specific - configure rules to filter <script>, javascript:, and other XSS patterns
Content Security Policy
allImplement strict CSP headers to restrict script execution sources
Add header: Content-Security-Policy: default-src 'self'
🧯 If You Can't Patch
- Implement strict Content Security Policy headers
- Deploy web application firewall with XSS protection rules
🔍 How to Verify
Check if Vulnerable:
Test web interfaces with XSS payloads like <script>alert('XSS')</script> in URL parametersCheck Version:
Check Access Manager version in administration console or via command: namadmin --versionVerify Fix Applied:
After patching, retest with XSS payloads to confirm they are properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual long URLs with script tags in access logs
- Multiple failed login attempts followed by suspicious redirects
Network Indicators:
- HTTP requests containing <script> tags or javascript: URIs
- Unusual outbound connections from user browsers
SIEM Query:
source="access_manager.logs" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload=")🔗 References
- https://support.microfocus.com/kb/doc.php?id=7025259
- https://www.microfocus.com/documentation/access-manager/5.0/accessmanager501-release-notes/accessmanager501-release-notes.html
- https://support.microfocus.com/kb/doc.php?id=7025259
- https://www.microfocus.com/documentation/access-manager/5.0/accessmanager501-release-notes/accessmanager501-release-notes.html
