Severity : Critical
CVE ID : CVE-2022-47966
Details :
This advisory addresses an unauthenticated remote code execution vulnerability reported and patched in the following ManageEngine OnPremise products due to the usage of an outdated third party dependency, Apache Santuario.
ManageEngine On-Demand/cloud products are not affected by this vulnerability.
Applicability :
This advisory is applicable only when SAML SSO is/was enabled in the ManageEngine setup.
| Product Name | Impacted Version(s) | Fixed Version(s) | Released On |
|---|---|---|---|
| Access Manager Plus* | 4307 and below | 4308 | 7/11/2022 |
| Active Directory 360** | 4309 and below | 4310 | 28/10/2022 |
| ADAudit Plus** | 7080 and below | 7081 | 28/10/2022 |
| ADManager Plus** | 7161 and below | 7162 | 28/10/2022 |
| ADSelfService Plus** | 6210 and below | 6211 | 28/10/2022 |
| Analytics Plus* | 5140 and below | 5150 | 7/11/2022 |
| Application Control Plus* | 10.1.2220.17 and below | 10.1.2220.18 | 28/10/2022 |
| Asset Explorer** | 6982 and below | 6983 | 27/10/2022 |
| Browser Security Plus* | 11.1.2238.5 and below | 11.1.2238.6 | 28/10/2022 |
| Device Control Plus* | 10.1.2220.17 and below | 10.1.2220.18 | 28/10/2022 |
| Endpoint Central* | 10.1.2228.10 and below | 10.1.2228.11 | 28/10/2022 |
| Endpoint Central MSP* | 10.1.2228.10 and below | 10.1.2228.11 | 28/10/2022 |
| Endpoint DLP* | 10.1.2137.5 and below | 10.1.2137.6 | 28/10/2022 |
| Key Manager Plus* | 6400 and below | 6401 | 27/10/2022 |
| OS Deployer* | 1.1.2243.0 and below | 1.1.2243.1 | 28/10/2022 |
| PAM 360* | 5712 and below | 5713 | 7/11/2022 |
| Password Manager Pro* | 12123 and below | 12124 | 7/11/2022 |
| Patch Manager Plus* | 10.1.2220.17 and below | 10.1.2220.18 | 28/10/2022 |
| Remote Access Plus* | 10.1.2228.10 and below | 10.1.2228.11 | 28/10/2022 |
| Remote Monitoring and Management (RMM)* | 10.1.40 and below | 10.1.41 | 29/10/2022 |
| ServiceDesk Plus** | 14003 and below | 14004 | 27/10/2022 |
| ServiceDesk Plus MSP** | 13000 and below | 13001 | 27/10/2022 |
| SupportCenter Plus** | 11017 to 11025 | 11026 | 28/10/2022 |
| Vulnerability Manager Plus* | 10.1.2220.17 and below | 10.1.2220.18 | 28/10/2022 |
* - Applicable only if SAML-based SSO is configured and currently active.
** - Applicable only if SAML-based SSO is configured at least once in the past, regardless of the current SAML-based SSO status.
Impact:
This vulnerability allows an unauthenticated adversary to execute arbitrary code when the above SAML SSO criteria is met.
Fix:
This issue has been fixed by updating the third party module to the recent version.
Acknowledgements:
This vulnerability was reported by Khoadha of Viettel Cyber Security through our Bug Bounty program.
Please contact our product support or security@manageengine.com if you need any further assistance.