Headline
CVE-2020-21642: ManageEngine Analytics Plus | Release Notes
Directory Traversal vulnerability ZDBQAREFSUBDIR parameter in /zropusermgmt API in Zoho ManageEngine Analytics Plus before 4350 allows remote attackers to run arbitrary code.
Build Number: 5130 (Release on: July 08, 2022)
Features introduced
- Analytics Plus seamlessly integrates with Jira Service Management Cloud to equip you with advanced service desk insights to stay on top of your customer experience. Learn more.
- Introducing Live Connect support for the following local databases: MariaDB and DB2. Click the corresponding links to learn more.
- Analytics Plus now allows you to connect live with various cloud databases such as IBM Cloud, Amazon Athena, Google Cloud MS SQL, and Snowflake for real-time reporting and analysis. Click the corresponding links to learn more.
Enhancements
- Analytics Plus enables you to choose the retention period of your data backups. Learn more.
- You can now choose to enable or disable the welcome emails being triggered while adding SSO or Active Directory users to Analytics Plus. Learn more.
Build Number: 5121 (Release on: May 31, 2022)
Issues fixed
- The issue while accessing the login page on deployments without internet access is now fixed.
Build Number: 5120 (Release on: May 24, 2022)
Features introduced
- Introducing out-of-box integrations with a wide range of business applications such as Google Analytics, Microsoft Dynamics CRM, QuickBooks, and much more. Learn more.
- Introducing a new license category - Viewers. Members in this category can be given read permissions for shared views and tables. This named account category will allow admins to dynamically filter shared views based on individual viewer privileges. Learn more.
Build Number: 5110 (Release on: April 14, 2022)
Features introduced
- Introducing support for asset and survey modules in ServiceDesk Plus MSP. Users should be on ServiceDeskPlus MSP build 10600 or above to view the respective reports. Learn more.
- You can now leverage webhooks to trigger alert notifications or custom workflows when data alert conditions are met. Learn more.
Enhancements
- While importing data from other Analytics Plus workspaces, the columns’ data type will also be retained as in the source workspace.
- Analytics Plus’ login page has been revamped to display product-related announcements. Learn more.
- The authentication mechanism for Jira Software Cloud has been changed from being key based to OAuth mode. Learn more.
Build Number: 5100 (Release on: March 22, 2022)
Features introduced
- Analytics Plus now allows you to easily export reports, dashboards and tables from one workspace to another within the same installation. Learn more.
- You can now remove an individual table’s data source, to stop the table from updating new data from the source. Learn more.
- You can instantly reflect the source database’s meta data changes to individual tables in Analytics Plus easily. This is only applicable for data imported using live connections. Learn more.
- Query tables now support Tabular functions such as Rank and Row Number that compares values across rows.
- You can leverage AND and OR logical operators while creating data alerts. Learn more.
- The custom sort option in reports has been revamped to enhance user experience.
Build Number: 5090 (Release on: February 21, 2022)
Features introduced
- Analytics Plus users can now configure multi-factor authentication for enhanced security. Learn more.
- Analytics Plus is moving to an xml-based Annual Maintenance and Support (AMS) license that allows for notifications before AMS expiration. Learn more.
Build Number: 5080 (Release on: January 25, 2022)
Features introduced
- This release includes functionality that will allow single sign-on to be configured with ManageEngine ServiceDesk Plus.
Note: To enable single sign-on, ServiceDesk Plus users should be on build 13000 or above.
Enhancements
- Analytics Plus administrators will now be notified to reset the default application password for enhanced security.
Build Number: 5070 (Release on: December 21, 2021)
Issues fixed
- The recently disclosed Apache Log4j vulnerabilities (CVE-2021-45046, CVE-2021-44228 and CVE-2021-45105) have been addressed in this release.
Build Number: 5060 (Release on: December 09, 2021)
Features introduced
- You can now choose to apply multiple user filters simultaneously in a dashboard. Learn more.
- You can now choose the data center associated to your ManageEngine ServiceDesk Plus Cloud account while setting up the integration. Learn more.
Build Number: 5050 (Release on: November 03, 2021)
Features introduced
- You can now import data from Google Cloud SQL MS SQL Server cloud database. Learn more.
- Analytics Plus’ getting started screens have been revamped to enhance the user experience. Learn more.
- You can choose to generate forecasts for the columns used in a chart’s Color shelf. Learn more.
- You can now configure workspace-level formatting options. These configurations will apply to all views in the workspace. Learn more.
- You can now create lookup columns while importing data using live connections. Learn more.
- New KPI chart type widgets have been introduced. Learn more
- The following enhancements have been made to reports in Analytics Plus:
- A chart’s Edit Design mode displays contextual menu options over columns used in the chart builder (on mouse hover). Learn more.
- You can now display images in the place of text in a chart’s axis. Learn more.
- The creating a tabular view screen has been revamped for easier navigation. Learn more.
Build Number: 5030 (Release on: October 18, 2021)
Features introduced
- Introducing audit logs - this feature allows administrators to capture detailed logs on application access and user activity. Learn more.
Build Number: 5020 (Release on: September 27, 2021)
Features introduced
- Introducing support for analytics on release management, change management and configuration management modules in ServiceNow. Learn more.
Build Number: 5010 (Release on: September 08, 2021)
Features introduced
- Introducing out-of-the-box integration with ManageEngine ServiceDesk Plus Cloud. Learn more.
Issues Fixed
- The issue while exporting custom map charts is now fixed in workstations with Google Chrome versions 59 or above installed.
- The issue that exported dashboards in a PDF layout without reflecting the configured password is fixed.
Note: To facilitate enhanced security, the default installation folder for Analytics Plus on Windows servers is now 'C:Program Files/’.
Build Number: 5000 (Release on: July 26, 2021)
Features introduced
- Introducing What-If analysis - this feature allows you to perform scenario analysis over data to visualize business impact if the involved variables change. Learn more.
- You can now access out-of-the-box blended reports that combine data from ManageEngine ServiceDesk Plus and ManageEngine Endpoint Central. Learn more.
- You can now import data from Amazon S3 databases. Learn more.
- The following enhancements have been made to Ask Zia:
- Introducing Zia Insights - you can now access actionable insights on your visualizations instantly. Learn more.
- Our AI assistant, Ask Zia, now supports inputs in Spanish.
- Format the values in your pivot views based on relevant conditions. Learn more.
- Introducing additional themes that allow you to customize your Analytics Plus application easily.
- Customize your map chart’s background theme using custom images. Learn more.
- The Edit Table screen has been revamped for easier navigation.
Build Number: 4760 (Release on: July 08, 2021)
Features introduced
- Introducing support for analytics on ServiceDesk Plus’ user surveys. Learn more.
Note: To enable this module, ServiceDesk Plus users should be on build 11300 or above.
Build Number: 4750 (Release on: June 28, 2021)
Features introduced
- You can now achieve application redundancy by setting up a high availability configuration. Learn more.
Issues Fixed
- The Cross-Site Scripting (xss) vulnerability in the display name field is now fixed.
Build Number: 4700 (Release on: May 31, 2021)
Features introduced
- Analytics Plus now allows you to copy reports, dashboards and tables from one workspace or installation to another. Learn more.
- You can also import data from one Analytics Plus workspace to another from the Import your Data screen. Learn more.
- You can now customize the mathematical models involved in forecasting your data. Learn more.
- Introducing Viewer mode - this mode removes edit/modify action buttons from the UI, thereby setting up reports and dashboards for a clutter-free view-only experience.
- The following enhancements have been made to charts:
- When a chart has multiple axes, you can now choose to merge specific axes. Learn more.
- You can now apply various effects on your chart to modify its overall appearance.
- You can now expand and collapse the user filters in dashboards.
- There are also several minor enhancements in the Analytics Plus user interface, designed to enhance your experience.
Build Number: 4650 (Release on: May 12, 2021)
Features introduced
- You can now import large amounts of data in batches from web URLs. Learn more.
- Analytics Plus now allows you to import spatial data files from local files. Learn more.
- You can now import zip code data into Analytics Plus, and generate geo visualizations with ease. Learn more.
- The following enhancements have been made to Ask Zia:
- Ask Zia now supports predictive analytics and generates reports with forecasted values.
- Introducing conversation mode: Ask Zia allows you to post follow up questions to help you dig deeper into your data.
- Ask Zia is now exclusively available in conversation mode within dashboards, to answer any dashboard-specific questions.
- Ask Zia will list existing reports as answers to your questions where applicable.
- You can now map terms in your questions to corresponding columns in the data table while entering your questions. Learn more.
- The following enhancements have been made to dashboards:
- You can now add multiple tabs to your dashboards. Learn more.
- The merge user filters functionality in dashboards has been enhanced to support all data types. Learn more.
- The following enhancements have been made to the sort functionality in charts:
- You can now sort your multi-axis charts with both X and Y-axes values.
- The Sort option in your chart’s toolbar has been revamped for easier navigation. Learn more.
- You can now export multiple views from the Explorer or export an entire folder. Learn more.
- Slideshows support a new preview option. Learn more.
- You can now automate scheduled backups of the Analytics Plus application easily. Learn more.
Build Number: 4610 (Release on: April 15, 2021)
Issues Fixed
- The keystore encryption issue that required an application restart has now been fixed.
Build Number: 4600 (Release on: March 26, 2021)
Features introduced
- Analytics Plus now supports data import from the following local databases: SQLite, Progress OpenEdge, Hive, Firebird, YugabyteDB, Microsoft Access and SAP HANA. Learn more.
- You can now import data from cloud databases into existing tables in Analytics Plus. Learn more.
- Introducing trend lines - you can now identify past and future data trends in Analytics Plus easily. Learn more.
- The following enhancements have been made to Ask Zia:
- The AI assistant can now understand questions that are grammatically unstructured or incomplete.
- Ask Zia now features typo tolerance, to understand words that are spelled incorrectly.
- Ask Zia can now interpret the mathematical function that is best suited for your question.
- The AI assistant’s knowledge of dates is now enhanced - the term “weekend” and the abbreviated versions of months can now be used.
- You can now configure a date column as a lookup column between two tables. Learn more.
- The following enhancements have been made to charts:
- A new chart type has been introduced: Histogram. Learn more.
- You can now apply patterns to your charts, and choose from a range of pre-built ones or create your own. Learn more.
- You can now create a 100% stacked bar chart, and charts with horizontal stacked bars that can have multiple Y axes.
- Analytics Plus allows you to switch your chart’s axis dynamically, to view the chart per your requirements. Learn more.
- You can choose to disable the Dynamic Drill Down option in charts. Learn more.
- The following enhancements have been made to pivot views:
- You can now hide specific columns in pivot views easily. Learn more.
- You can now expand and collapse the rows, columns and cells in your pivot views. Learn more.
- The following enhancements have been made to the sharing and publishing functionality:
- You can now request access to views that haven’t been shared with you. Learn more.
- Analytics Plus now allows you to set expiration dates for views that are published without login credentials.
- While publishing a table, you can now choose to publish only selective columns from that table.
- The Export and Email dialog boxes have been revamped for easier navigation.
- The following enhancements have been made to the Explorer View:
- You can convert a parent folder to a sub-folder, and vice versa. Learn more.
- You can now mark sub-folders as default folders in your workspace.
- You can now bookmark important views when accessing them, using the icon found beside the view’s name.
- The following enhancements have been made to user filters:
- The existing List only relevant values option can now be used to configure cascading user filters, wherein the subsequent user filter’s values are dependent on the preceding user filter’s value.
- Conversely, the Show All option can be selected to list every value in the subsequent user filter, regardless of the preceding user filter’s value. Learn more.
- The login and data import screens have been revamped for easier navigation.
Issues Fixed
- Encryption issues with the keystore password stored in the server.xml file in the /conf directory has now been fixed.
Note: For Windows installations, Microsoft Visual C++ 2015-2019 will be installed automatically along with Analytics Plus if its not already available on the installation server. This is to ensure seamless support with the Analytics Plus database, and enhance its performance.
Build Number: 4595 (Release on: February 23, 2021)
Features introduced
- Introducing support for analytics on ManageEngine Endpoint Central endpoint inventory. Learn more.
Issues Fixed
- The Cross-Site Scripting (xss) vulnerability in the workspace name field is now fixed.
Build Number: 4590 (Release on: November 12, 2020)
Features introduced
- ManageEngine OpManager customers can now run reports on device availability and interface performance. OpManager should be on build 125215 or above for these reports to work. Learn more.
- You can now invoke stored procedures to import data from specific databases. Learn more.
Build Number: 4580 (Release on: October 19, 2020)
Features introduced
- The existing Concurrent Viewers license category has been renamed as Concurrent Guests. This is only a name change with no change in functionality.
Build Number: 4570 (Release on: September 1, 2020)
Features introduced
- Introducing support for additional modules in SupportCenter Plus. This release includes analytics on Billing, Tasks, Time Analysis (which covers changes in Ticket Status, Support Group and Support Reps), Time Entries, and Solutions.
Note: To enable these modules, SupportCenter Plus users should be on build 11000 or above.
Build Number: 4560 (Release on: August 13, 2020)
Features introduced
- Introducing the Standard edition - a new multi-user edition that supports data import from any one of the available data sources. Learn more.
- The Personal edition now supports data import only from files/feeds, local and cloud databases, and allows users to analyze a total data volume of 10K rows.
Build Number: 4550 (Release on: July 20, 2020)
Database upgrade
- The Analytics Plus database is upgraded from PostgreSQL version 9.6 to version 11.7.
Build Number: 4510 (Release on: June 24, 2020)
Issues fixed
- Issues with variables, and e-mails scheduled with the Apply corresponding share filter criteria option, prevented users from upgrading to build 4500. Those users can now upgrade to build 4510.
Note: The Apply corresponding share filter criteria option will now be disabled while scheduling e-mails, if there is no filter criteria specified in the report. When new filter criteria are added, ensure this option is selected to apply the corresponding filters in the scheduled e-mail.
Build Number: 4500 (Release on: May 28, 2020)
Features introduced
- Introducing Wildcard filters - you can now construct filter criteria with multiple conditions to filter the data in your reports. Learn more.
- You can now create Data Snapshots of charts containing forecasted values. Learn more.
- The below keywords are now supported while creating query tables:
- Pivot: Converts rows into columns by turning the unique values in the input column to multiple output columns.
- Unpivot: Converts columns into rows by changing multiple columns to values in a single row.
- You can now customize a KPI widget’s alignment in a dashboard.
- The following enhancements have been made to charts:
- Choose to display legends with or without their corresponding values, and customize their format. Learn more.
- You can now plot charts with percentile function applied over the numeric data.Learn more.
- The following enhancements have been made to the Explorer View:
- Select and move multiple views across folders in a workspace.
- Move sub-folders from one folder to another, and make parent folders as sub-folders within another folder.
- You can now bookmark important views from the Reports and Dashboards section in the side panel.
- Creating new views is now easier, with options to create tables, reports, and dashboards from the respective sections in the side panel.
- The following enhancements have been made to the collaboration features:
- The various collaboration options are now grouped under the common Share button.
- You can now email filtered views to multiple users and groups. Learn more.
- The Embed and Publish URL screen has been revamped to facilitate easy access.
Issues fixed
- The authentication process for the Endpoint Central, Mobile Device Manager Plus, and Patch Manager Plus integrations has been changed. Click the corresponding links to know more.
- The issue that stopped the integration of Analytics Plus with OpManager build 12.4 and above is fixed.
- The issue that prevented the re-synchronization of ServiceDesk Plus, in the event of synchronization failure, is now fixed.
- On renaming the source tables imported using the live connect option, the changes will be reflected in the corresponding Analytics Plus tables on synchronization.
- Missing filters in the “Software Issues Due Today” report in Jira Software integration have been added.
- You can now expand and collapse views displayed in the grid format, from the Explorer page.
- The issue that removed the OJDBC and JTDS jars after upgrading to build 4350 and above is now fixed.
Build Number: 4460 (Release on: May 07, 2020)
Features introduced
- Introducing out-of-the-box integration with Jira Software Cloud and Jira Software Server. Learn more.
Build Number: 4450 (Release on: April 21, 2020)
Issues fixed
- Issues in Patch Manager Plus integration, due to unwanted tables being imported during the setup, have now been fixed.
Build Number: 4440 (Release on: April 16, 2020)
Features introduced
- Introducing out-of-the-box integration with Zendesk. Learn more.
- Introducing support for availability reports and the SLA module in ManageEngine Applications Manager. Learn more.
Build Number: 4430 (Release on: April 06, 2020)
Features introduced
- Introducing out-of-the-box integration with ManageEngine Patch Manager Plus (Beta). Learn more.
Build Number: 4420 (Release on: March 18, 2020)
Features introduced
- Introducing out-of-the-box integration with ManageEngine Mobile Device Manager Plus (Beta). Learn more.
Build Number: 4410 (Release on: February 24, 2020)
Features introduced
- You can now import users from your Active Directory and configure single sign-on. Learn more.
Issues Fixed
- Issues in creating folders and sub-folders within your workspace are now fixed.
Build Number: 4400 (Release on: February 07, 2020)
Features introduced
- Introducing Data Snapshots - a new way to capture data from a report and store it as a table. This is useful for historical data comparison. Learn more.
- Analytics Plus now supports more authentication types while importing data from web feeds. Learn more.
- You can now view the dependency details for a table or a report. Learn more.
- Create sub-folders in your workspace to organize views easily. Learn more.
- You can now dynamically filter dashboards based on the data points in a report. Learn more.
- Customize the layout of pivot tables to attain a more compact outlook. Learn more.
- Managing groups in Analytics Plus is now easier with an enhanced UI. Learn more.
- The following enhancements are made to the sort functionality in charts:
- By default, new pie charts will be sorted in the descending order based on the distribution of values.
- A chart with its top or bottom ‘N’ values filtered will also be sorted in the ascending or the descending order accordingly.
- If custom sort is configured as the default for a column in a table, new reports created over that column will also be sorted in the same manner.
Build Number: 4350 (Release on: December 02, 2019)
Features introduced
- Introducing Butterfly charts, and Geo Heat Map charts as a new variant of the Geo Map charts.
- Analytics Plus now supports data import from the following local databases: DB2, Exasol, Greenplum, Vertica, Actian Vector, Denodo, Pervasive SQL, and any database that supports a JDBC Connection. Learn more.
- You can also import data from statistical files, stored in local drives and web feeds. Learn more.
- Analytics Plus now allows you to customize the positioning of the column and row summaries in Pivot Tables. Learn more.
- The report-specific formula builder now supports logical and comparison operators. Learn more.
- You can now apply the parent table’s filter criteria to the dashboard when sharing it with users. Learn more.
- Users can choose to unsubscribe from workspaces that are shared to them. Learn more.
- You can now include upto 25 users in each email schedule. The Pick Users / Groups option also lets you pick groups from a list, instead of having to type all the email addresses individually.
- The following enhancements have been made to the Explorer View:
- Use the Shift + Select option (hold down the shift key during view selection) to choose several views at a time.
- Clicking the speech bubble icons in the Explorer View will take you to the comments section of each view.
Issues Fixed
- The security issue that resulted in a Remote Code Execution (RCE) vulnerability has been fixed.
- An Out-of-band XML External Entity (OOB-XXE) vulnerability that allowed users to read arbitrary files and scan internal ports is now fixed.
Build Number: 4310 (Release on: October 04, 2019)
Features introduced
- Introducing out-of-the-box integration with ManageEngine PAM360. Learn more.
Build Number: 4300 (Release on: September 09, 2019)
Features introduced
- Introducing out-of-the-box integration with ManageEngine Password Manager Pro. Learn more.
- Analytics Plus now supports data import from the following cloud databases: Amazon Aurora PostgreSQL, Amazon Athena, Microsoft Azure MySQL, Microsoft Azure PostgreSQL, Microsoft Azure Maria DB, Microsoft Azure SQL Database, Microsoft Azure SQL Data Warehouse, Google BigQuery, Google Cloud SQL, Google Cloud PostgreSQL, Snowflake, Rackspace Cloud MySQL, Rackspace Cloud Maria DB, Oracle Cloud, IBM Cloud and Panoply. Learn more.
- Analytics Plus now allows you to specify accuracy levels in forecast reports. Learn more.
- A new chart type has been introduced: Bubble Pie chart. Learn more.
- Analytics Plus has introduced new variants to Combination charts. Learn more.
- The following enhancements are offered in Geo map charts:
- New map chart themes have been introduced - Satellite theme, and custom theme. Additionally, a continuous color range legend can also be applied on map charts. Learn more.
- Support for creating map charts using Airport IATA codes.
- Country-specific map charts can now be created. Learn more.
- The option to import from Files and Feeds has now been categorized into separate tiles in Analytics Plus, to simplify the import process.
- The dashboard editor has been enhanced to facilitate smooth resizing and positioning of reports. You can also maximize and export specific reports in a dashboard.
- The Chart Color Palette section has now been revamped to facilitate easy access. Learn more.
- Enhancements in chart drill down allow you to ignore the value in the Color tile and drill down on the entire data present in the chart. Learn more.
- You can now change the dashboard and report listing style (folder view, type view or related view) from the side panel.
- You can now rename columns in a table by double-clicking the column header.
Build Number: 4280 (Release on: July 22, 2019)
Features introduced
- Introducing Zia, the intelligent analytics assistant that understands users’ questions in plain english and offers powerful insights immediately. Learn more.
- Analytics Plus now supports single sign-on with third-party applications that support SAML authentication. Learn more.
Build Number: 4270 (Release on: June 20th, 2019)
Features introduced
- Introducing support for asset module in ServiceDesk Plus. Learn more.
Note: To enable this module, ServiceDesk Plus users should be on build 10504 or above.
Issues Fixed
- Page loading and alignment issues faced by some customers upon upgrading to build 4260 have been fixed.
Build Number: 4260 (Release on: June 4th, 2019)
Features introduced
- Introducing support for ticket transition history, projects, and knowledge base modules in ServiceDesk Plus MSP. Learn more.
Note: To enable these modules, ServiceDesk Plus MSP users should be on build 9418 or above.
Build Number: 4250 (Release on: May 13th, 2019)
Features introduced
- Introducing out-of-the-box integration with ServiceNow. Learn more.
- You can now connect live with your data in Amazon Aurora - MySQL database for real-time analytics. Learn more.
- Analytics Plus now supports data imports from MongoDB on-premise databases. Learn more.
Issues Fixed
- Issues in Endpoint Central integration, due to domain authentication or special characters in the password, have now been fixed.
Build Number: 4200 (Release on: March 27, 2019)
Features introduced
- Introducing Live Connect for databases. Connect live with your data in MySQL to run real-time analytics. Live Connect for other databases will be supported soon. Learn more.
- Analytics Plus now lets you join tables using more than one Lookup Column. Learn more.
- You can now display numeric column data in lakhs and crores (commonly used in the Indian subcontinent). Learn more.
- Generating AuthTokens has been made easier, accessable from Analytics Plus under the Product Info screen.
Issues Fixed
- Alignment issues while exporting dashboards as PDF has now been fixed.
Build Number: 4150 (Release on: February 9th, 2019)
Features introduced
- Introducing out-of-the-box integration with ManageEngine Endpoint Central.
Build Number: 4100 (Release on: December 24, 2018)
In-memory columnar engine for faster analytics:
- In-memory columnar engine has been integrated into Analytics Plus for high performance at scale. Now experience analytics at speed with faster rendering of reports and dashboards.
Note: The in-memory columnar engine is available only for the Linux platform of Analytics Plus.
- Actian Vector (community and commercial versions available) columnar engine is now supported as a plug-able option for high performance at scale. This can be used as an alternative to the inbuilt columnar engine.
Note: Actian vector columnar engine is supported in both Linux and Windows platform.
Get in touch with [email protected] for more details.
Build Number: 4000 (Release on: November 16, 2018)
Features introduced
- Revamped home page to allow easy access to dashboards and workspaces.
- Introducing report commenting. Insert comments in your reports and reach consensus with your team regarding key metrics without ever leaving the Analytics Plus console. Learn more
- Enhanced notification window with options to view comments and alert notifications.
- Analytics Plus now supports importing data from cloud sources such as Box, Dropbox, Google Drive, and OneDrive. Learn more
- Introducing six new preset themes for dashboards with options to customize dashboard colors, card style, and report palettes. Learn more
- Introducing advanced summarizing functions in pivot tables such as,
- % of Row in Group - Displays the percentage of the total value of each row within a group.
- % of Column in Group - Displays the percentage of the total value of each column within a group.
- Lookup Value - Fetches value from any of Previous/Next/First/Last cell, based on the Base Field selected.
- While sharing tables, you can exclude columns with sensitive information to ensure data security.
- You can now customize reports by revising the default lookup relationship between the tables used in creating that report. Learn more
- Revamped user interface for sharing views and creating formulas.
- The new update allows users to enable or disable interactions on dashboards.
These interactions include:- Drill down
- View underlying data
- Sort menu for tabular views
- Show contextual options menu on hover
- Smart align
- New widget color options lets you set the background color for each widget in your dashboard.
- With the new update, you can set up alerts and get notified via email or in-app notifications when your data points breach a threshold. Eg: Email notification when SLA compliance goes below 90%. Learn more
Build Number: 3950 (Release on: October 12, 2018)
Features introduced
- Introducing support for ticket transition history, projects, and knowledge base modules in ServiceDesk Plus.
Note: To enable these modules, ServiceDesk Plus users should be on build 9422 or above.
Issues Fixed
- The 60-character limitation on column names in tables integrated out-of-the-box from ServiceDesk Plus has now been removed.
Build Number: 3900 (Release on: September 18, 2018)
Change in terminology
- Henceforth, “Reporting Database” will be referred to as Workspace and a “Database Owner or DB Owner” as a Workspace Admin. Learn more.
Features Introduced
- Duplicate user filters (from different data tables) can be merged together, and will work across all the applicable reports in a dashboard.
Learn more.
Build Number: 3800 (Release on: August 17, 2018)
Features Introduced
- Analytics Plus rolls out its next phase of updates in compliance with GDPR. Columns marked as ‘personal data’ will be excluded during export operations. Users can opt to include these columns manually using the column picker.
- With this update, the user filter panel in dashboard will be anchored to the explorer bar to allow users to apply filters from any section of the dashboard.
- Introducing geo location picker for map charts to resolve unidentified locations on the map.
- Enhanced data prep options for tables - Introducing split column option to effortlessly split text-based columns using separators such as comma, space, ampersand, etc.,
- Introducing support for importing data from MS Access Database. Users can now import their data into Analytics Plus from local drives, FTP servers, cloud drives, and web links of MS Access Database.
- Introducing support for passing dynamic parameter values such as current date, time, current date and time, while importing data from Web URLs.
- Analytics Plus now supports importing tables that have columns with different date formats.
- Introducing support to import data from web links using OAuth 1.0 and OAuth 2.0 authentication protocol.
Build Number: 3700 (Release on: June 11, 2018)
Features Introduced
- Analytics plus rolls out its first phase of updates in compliance with GDPR. Learn more.
- Password protect export and email attachments.
- Password protect published views.
- Introducing new variants in map charts: Map - Bubble, Map - Pie, and Map - Bubble Pie. Learn more.
- Quick formatting options in KPI widgets and enhanced customization in charts.
Build Number: 3600 (Release on: May 18, 2018)
Features Introduced
- Architectural changes to enable easy access over the internet and local networks.
Build Number: 3500 (Release on: May 18, 2018)
Features Introduced
- Introducing a unified Data Sources page to enable users to view and manage all data sources within a reporting database from a single page. Click the Data Sources button in the Explorer tab to access this page. Learn more.
- Enhancements to e-mail scheduling allows users to schedule e-mails to go out on the last day of the month as opposed to choosing the last date manually. Learn more.
- Summary function in pivot tables enhanced to include average, minimum, and maximum values in the sub-total and the grand total rows. Learn more.
- Introducing dynamic values for thresholds. Now use column averages, sum, minimum or maximum values as thresholds.
- Introducing scope functionality for thresholds. Select a single threshold line for the entire chart or multiple threshold lines for each data point in a chart.
- Enhanced grid themes for tabular reports at the database level. Now select a common color theme for all the tabular representations such as pivots and summary reports in a given reporting database. Learn more.
- Enhanced UI for ‘User Filters’ to aid quick customization.
- Introducing support for OData feeds. User can now import their data into Analytics Plus using the weblinks of OData feeds. Learn more.
- Shortened Embed/Permalink URL to facilitate easy sharing of reports and dashboards. Learn more.
- Enchanced dashboard themes lets you customize the font style, size, and color of the dashboard title and the description.
- New chart type - support for filled map chart. Color-code countries, cities or regions on a geographical map based on values in the report legend. Learn more.
- Now, you can represent Median and Mode of numerical fields in your reports. Learn more.
- The new update lets you import multiple sheets from an Excel workbook at one go. Each sheet will be stored as an individual table in the reporting database. Learn more.
Build number: 3450 (Release on: March 31, 2018)
Features Introduced
- The Dashboard Viewer license category undergoes a functionality change and will now be called Concurrent Viewers. This license category will work based on concurrent user sessions. Click here to know more.
- Two new fields have been introduced as part of the Applications Manager integration. Users can create monitor group reports using Type and Group Type fields.
Build number: 3400 (Release on: March 15, 2018)
Features Introduced
- New chart type - Support for map chart. Your metrics can now be tagged against geographical locations on a map view.
- Introducing support for API integration - A wide range of APIs allows you to perform actions such as user addition, export reports, share reports and much more.
- Analytics Plus now supports Windows authentication for importing data from in-house MSSQL servers.
- Automated license expiry alerts will now be sent to admins via email, in addition to in-product notifications.
Issues Fixed
- Issues in accessing Add text and Add image option while creating dashboards has been fixed.
- Some users reported losing their re-branded logo and dashboard images after a service pack upgrade. This issue has now been addressed.
- Issues related to date format conversion has been fixed.
- Issues in displaying the footer image when views are exported in JPEG or PNG format has been fixed.
Build Number: 3310 (Released on: Dec 14, 2017)
Issues Fixed
- Sync-related issues with 3300 has been fixed.
- Issues in selecting sync intervals has been addressed.
Build Number: 3300 (Released on: Dec 04, 2017)
Features Introduced
- Introducing support for the Change Management module in ServiceDesk Plus MSP.
- New chart type - Bullet and dial charts can be used in dashboard widgets.
- You can schedule data imports from local databases at frequencies less than 1 hour.
Issues Fixed
- Issues in changing the date format in pivot tables have been addressed.
- Issues in adding images to dashboards have been fixed.
- Login errors caused by browser cookies have been addressed.
Build Number: 3250 (Released on: Oct 10, 2017)
Features Introduced
- Introducing a new Gallery option that features reports and dashboards from the latest Analytics Plus releases. The featured report templates can be copied on to your own database. This feature is only available for the out-of-the box integrations such as ServiceDesk Plus, OpManager etc.
- Alerts about new reports and dashboards added to the gallery will now be available as in-product notifications.
- This version includes pre-loaded demo databases. These databases can be used to look at sample dashboards and reports before connecting your own applications. Click Sample Databases from the home screen to launch them.
Issues Fixed
- Issues in synchronizing Applications Manager performance metrics with Analytics Plus build 3200 has been addressed.
Build Number: 3200 (Released on: Aug 25, 2017)
Features Introduced
- We’ve given our homepage a facelift. With the new update, users can now view all the import options in a single page.
- You can now import data from Google cloud SQL and Heroku PostgreSQL cloud databases.
- Enhancements in OpManager and Applications Manager integrations for faster data import.
- Enhancements in the lookup column feature
- Lookup columns don’t inherit the data type of the parent column any more. You have options to choose different data types.
- The new update lets you apply lookup column over another looked up column.
- You can specify default values for the lookup column and also make it a mandatory field.
- On reports built with fields from multiple tables, you can now toggle between data from related tables using the View Underlying Data option.
- A new edit option for reports and dashboards in the explorer window launches reports directly in the edit mode.
- Upgraded chart chooser dialog box for dashboards lets you preview and toggle between different chart types.
- New Chart Colors option under database settings lets you pick a custom color palette, and choose between solid, monochrome or gradient color options for your charts.
- New chart type - Support for packed bubble charts has been introduced.
- Renamed Custom Formula option to Formula Column.
- We’ve also renamed Formula Column functions such as name month() to MonthName() and quarter() to QuarterName().
- Functions such as AbsQuarter(), AbsMonth(), IndexOf() and First_Date_Current_Week() can be used in a query table.
- Introducing variables for user groups - This lets you assign dynamic filter values to create filters for user groups.
- New user interface for edit e-mail schedule features icons for edit, pause, send now, and delete.
- Edit e-mail Schedule menu displays the list of reports or dashboards that are sent as part of the respective schedule.
- The sent time can now be appended to the e-mail subject line. Users receiving scheduled emails will be able to keep track of the time when the report was generated.
- You can choose to send yourself a copy of the report while setting up e-mail sharing.
Issues Fixed
- General scalability improvements.
- Service Desk Plus synchronization errors that occur as a result of backslash character (\) in field names has been fixed.
Build Number: 3140 (Released on: Jul 19, 2017)
Features Introduced
- Analytics on ManageEngine ServiceDesk Plus change management module is now available out of the box.
- This update also includes synchronization of new fields from the ServiceDesk Plus request module including FCR, first response overdue status, closure comments, approval status and more.
- Professional edition has been made the default option at the time of installation. Users will be able to switch to the personal edition at the end of the 30 day trial.
Build Number: 3130 (Released on: Jun 09, 2017)
Features Introduced
- Statistical functions such as Mean, Median and Mode can be used in aggregate formulas.
Issues Fixed
- Missing images when reports are emailed as inline message.
- Display issues while accessing reports published as non-interactive images.
Build Number: 3120 (Released on: May 16, 2017)
Features Introduced
- Introducing Dashboard Viewer license category - This allows you to publish reports across your organization without having to create separate logins for users. Know more
- Analytics Plus is now available in Turkish.
Build Number: 3110 (Released on: Apr 20, 2017)
Issues Fixed
- Addressed synchronization issues with ServiceDesk Plus installations that have more than 8 request additional fields.
- Fixed issues in exporting dashboards that contain widgets.
Build Number: 3100 (Released on: Mar 09, 2017)
New Features Introduced
- Enhanced ‘Getting Started’ page to guide new users.
- New chart type - Support for Bubble charts has been introduced. Learn more
- Notifications icon will now feature product updates and important announcements from ManageEngine.
- Windows authentication support for data import from MSSQL database.
- Live connection with Amazon Redshift database for real-time reports and dashboards. Learn more
- FTP import option has been introduced. Now files can be imported directly from FTP servers.
- Auto suggestions for custom formulas will now suggest suitable functions and columns from your data. Learn more
- Hidden columns in the data table will not be displayed during chart creation.
- Enhancements for formula functions such as fiscal year, week parameter and UDF logic.
- Choose drill down path on the fly without having to pre-configure a drill down path in reports, individually. Learn more
- Set the start day of the week and week format at a database level. It is no longer a universal setting. Learn more
- Files placed in the \AnalyticsPlus\Shared folder can be periodically imported into Analytics Plus.
- Performance enhancements.
Issues Fixed
- Errors while changing the datatype of a column from decimal to plain text.
- Exceptions while changing the datatype of a column from plain text to URL. Other general exceptions when modifying the data type of a column have been handled.
- Data corruption that occurs when adding a new formula column.
- Issues related to auto-identification of lookup columns.
- Data from the “Created by” field in the request module of ServiceDesk Plus is pushed to Analytics Plus.
- Fixed issues in displaying accurate underlying data when fields are used in the “color” section of a report.
- Synchronization issues resulting from changing the default ServiceDesk Plus database name.
- Errors resulting from changing the data type from positive number to plain text.
- Display error on using the “Show Missing Values” feature.
- Conditional formating issues with summary and pivot tables.
- Problems with not being able to add more than 5 users in one email schedule.
- Synchronization issues between ServiceDesk Plus version 9226 and Analytics Plus 3010, Personal edition.
- Mismatch in underlying data when aggregate formulas are used in charts.
- Errors in exporting dashboards with images.
- Failure in sharing reports with new users from the explorer window (using the edit share details option) with filter criteria specified.
- Restriction on the length of the domain name of the Analytics Plus host has been relaxed.
Build Number: 3050 (Released on: Jan 30, 2017)
Issues Fixed
- Fixed the issue of missing images while exporting a dashboard
Build Number: 3040 (Released on: December 2, 2016)
Features introduced
- Support for Polish language
Build Number: 3030 (Released on: November 14, 2016)
Issues Fixed
- Fixed an issue where OPM integrations failed due to SSL certificate violation
Build Number: 3020 (Released on: October 31, 2016)
Features introduced
- Enhanced performance on integrations with ITOA (OpManager and Applications Manager)
Issues Fixed
- Corrected the rendering of data points on Hour of the day and Full day charts
- Fixed an issue where import of data using scheduled import queries failed owing to the existence of ‘/’ and ‘%’ symbols in the query
Build Number: 3010 (Released on: September 26, 2016)
Enhancements / Features Introduced:
- Performance Improvements on Applications Manager and OpManager Integration
Issues Fixed
- Fixed an issue where generation of performance reports on integration with Applications Manager and OpManager, failed in some cases.
- Addressed the browser lock out problem in case of concurrent login
Build Number: 3000 (Released on: August 23, 2016)
Features introduced
- Out-of-the box integration with ManageEngine OpManager
- Out-of-the box integration with ManageEngine Applications Manager
- Out-of-the box integration with ManageEngine SupportCenter Plus
- Timeline Filters for Dashboards, click here to know more.
- Support to import data from cloud and local databases (MySQL, SQL Server, Oracle, PostgreSQL) without the use of Analytics Plus Agent.
Build Number: 2907 (Released on: July 25, 2016)
Issues fixed
- Occurrence of unnecessary pop-ups on a server without Internet connectivity has been fixed
- Fixed an issue related to license handling in the Personal Edition of Analytics Plus that runs on Linux Operating System.
- Fixed an UI issue that occurred in the Query table creation page, in a hosted environment.
Build Number: 2906 (Released on: July 04, 2016)
Features introduced
- Advanced settings to setup alias URL to access Analytics Plus.
- Support to access Analytics Plus using Internet Explorer and Edge.
- New option to ‘look-up’ fields in formula columns
- Wrapping column headers in pivots and summary views
- Support for Email Scheduling with default user filter
- Support to automatically identify look-up columns
- New settings page for reporting databases
Issues fixed
- Difficulty in installing Analytics Plus in a public IP environment has been fixed
Build Number: 2905 (Released on: May 06, 2016)
- Internal enhancements
Build Number: 2904 (Released on: May 03, 2016)
- Optimized user login process by adding redirection to Analytics Plus accounts module. This will ease the process of adding an exception to the SSL certificate warning.
- Out-of-the box integration with ManageEngine ServiceDesk Plus MSP
Build Number: 2903 (Released on: April 05, 2016)
- Document improvements in the Online Help
- Minor issues fixed
Build Number: 2902 (Released on: April 04, 2016)
- Implemented changes to optimize the login process
- Product name changed from ManageEngine Reports to ManageEngine Analytics Plus
Build Number: 2901 (Released on: March 16, 2016)
- Performance improvements
- Added support for additional languages
Build Number: 2900 (Released on: March 04, 2016)
- Advanced reporting capabilities and dashboard creation
- Out-of-the box integration with ManageEngine ServiceDesk Plus
Related news
Red Hat uses a four-point impact scale to classify security issues affecting our products. Have you ever asked yourself what it takes and what the requirements are for each point of the scale? We will talk through the highlights of our process in this article.Is this a CVE?First and foremost, what is a CVE? Short for Common Vulnerabilities and Exposures, it is a list of publicly disclosed computer security flaws. Learn more in this Red Hat post.To receive a severity rating, the issue needs to be a CVE. But what does it take to be a CVE? In order to warrant a CVE ID, a vulnerability has to comp
Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL. This issue affects Docker Desktop: before 4.23.0.
Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.
Progress Chef Infra Server before 15.7 allows a local attacker to exploit a /var/opt/opscode/local-mode-cache/backup world-readable temporary backup path to access sensitive information, resulting in the disclosure of all indexed node data, because OpenSearch credentials are exposed. (The data typically includes credentials for additional systems.) The attacker must wait for an admin to run the "chef-server-ctl reconfigure" command.
Categories: Exploits and vulnerabilities Categories: News Tags: Oracle Tags: WebLogic Tags: CVE-2023-21839 Tags: CVE-2023-1389 Tags: CVE-2021-45046 Tags: CISA Tags: reverse shell An easy to exploit vulnerability in Oracle WebLogic Server has been added to the CISA list of things you really, really need to patch. (Read more...) The post Oracle WebLogic Server vulnerability added to CISA list as “known to be exploited” appeared first on Malwarebytes Labs.
Arbitrary file reading vulnerability in Apache Software Foundation Apache OFBiz when using the Solr plugin. This is a pre-authentication attack. This issue affects Apache OFBiz: before 18.12.07.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
ThingsBoard 3.4.1 could allow a remote attacker to gain elevated privileges because hard-coded service credentials (usable for privilege escalation) are stored in an insecure format. (To read this stored data, the attacker needs access to the application server or its source code.)
An issue was discovered in the rollback feature of Elastic Endpoint Security for Windows, which could allow unprivileged users to elevate their privileges to those of the LocalSystem account.
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
The custom malware used by the state-backed Iranian threat group Drokbk has so far flown under the radar by using GitHub as a "dead-drop resolver" to more easily evade detection.
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
Improper Input Validation of plugin files in Administrator Interface of Secomea GateManager allows a server administrator to inject code into the GateManager interface. This issue affects: Secomea GateManager versions prior to 10.0.
Iranian government-sponsored threat actors have been blamed for compromising a U.S. federal agency by taking advantage of the Log4Shell vulnerability in an unpatched VMware Horizon server. The details, which were shared by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), come in response to incident response efforts undertaken by the authority from mid-June through mid-July 2022
Ransomware and pre-ransomware engagements make up 40 percent of threats seen this quarter By Caitlin Huey. For the first time since compiling these reports, Cisco Talos Incident Response saw an equal number of ransomware and pre-ransomware engagements, making up nearly 40 percent of threats this quarter. It can be difficult to determine what constitutes a pre-ransomware attack if ransomware never executes and encryption does not take place. However, Talos IR assesses that the combination of Cobalt Strike and credential-harvesting tools like Mimikatz, paired with enumeration and discovery techniques, indicates a high likelihood that ransomware is the final objective. This quarter featured a variety of publicly available tools and scripts hosted on GitHub repositories or other third-party websites to support operations across multiple stages of the attack lifecycle. This activity coincides with a general increase in the use of other dual-use tools, such as the legitimate red-teaming ...
A lack of MFA remains one of the biggest impediments to enterprise security.
Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]
Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.
A security vulnerability has been identified in Apache Kafka. It affects all releases since 2.8.0. The vulnerability allows malicious unauthenticated clients to allocate large amounts of memory on brokers. This can lead to brokers hitting OutOfMemoryException and causing denial of service. Example scenarios: - Kafka cluster without authentication: Any clients able to establish a network connection to a broker can trigger the issue. - Kafka cluster with SASL authentication: Any clients able to establish a network connection to a broker, without the need for valid SASL credentials, can trigger the issue. - Kafka cluster with TLS authentication: Only clients able to successfully authenticate via TLS can trigger the issue. We advise the users to upgrade the Kafka installations to one of the 3.2.3, 3.1.2, 3.0.2, 2.8.2 versions.
The U.S. Treasury Department's Office of Foreign Assets Control (OFAC) on Wednesday announced sweeping sanctions against ten individuals and two entities backed by Iran's Islamic Revolutionary Guard Corps (IRGC) for their involvement in ransomware attacks at least since October 2020. The agency said the cyber activity mounted by the individuals is partially attributable to intrusion sets tracked
Insufficient access control vulnerability was discovered in the Crestron AirMedia Windows Application, version 4.3.1.39, in which a user can pause the uninstallation of an executable to gain a SYSTEM level command prompt.
Trustwave report also finds 2022 is set to surpass 2021 for volume of critical CVEs
Commodity malware usage surpasses ransomware by narrow margin By Caitlin Huey. For the first time in more than a year, ransomware was not the top threat Cisco Talos Incident Response (CTIR) responded to this quarter, as commodity malware surpassed ransomware by a narrow margin. This is likely due to several factors, including the closure of several ransomware groups, whether it be of their own volition or the actions of global law enforcement agencies and governments. Commodity malware was the top observed threat this quarter, a notable development given the general decrease in observations of attacks leveraging commodity trojans in CTIR engagements since 2020. These developments coincide with a general resurgence of certain email-based trojans in recent months, as law enforcement and technology companies have continued to attempt to disrupt and affect email-based malware threats like Emotet and Trickbot. This quarter featured malware such as the Remcos remote access trojan ...
Open-Xchange App Suite versions 7.10.6 and below suffer from OS command injection and cross site scripting vulnerabilities. One particular cross site scripting issue only affects versions 7.10.5 and below.
Dell PowerStore, versions prior to 3.0.0.0, contains an OS Command Injection vulnerability in PowerStore T environment. A locally authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS command on the PowerStore underlying OS. Exploiting may lead to a system take over by an attacker.
Vulnerability will remain a "significant" threat for years to come and highlighted the need for more public and private sector support for open source software ecosystem, Cyber Safety Review Board says.
What are container image vulnerabilities?
The U.S. Cybersecurity and Infrastructure Security Agency (CISA), along with the Coast Guard Cyber Command (CGCYBER), on Thursday released a joint advisory warning of continued attempts on the part of threat actors to exploit the Log4Shell flaw in VMware Horizon servers to breach target networks. "Since December 2021, multiple threat actor groups have exploited Log4Shell on unpatched,
Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software.
Pure Storage FlashArray products running Purity//FA 6.2.0 - 6.2.3, 6.1.0 - 6.1.12, 6.0.0 - 6.0.8, 5.3.0 - 5.3.17, 5.2.x and prior Purity//FA releases, and Pure Storage FlashBlade products running Purity//FB 3.3.0, 3.2.0 - 3.2.4, 3.1.0 - 3.1.12, 3.0.x and prior Purity//FB releases are vulnerable to a privilege escalation via the manipulation of Python environment variables which can be exploited by a logged-in user to escape a restricted shell to an unrestricted shell with root privileges. No other Pure Storage products or services are affected. Remediation is available from Pure Storage via a self-serve “opt-in” patch, manual patch application or a software upgrade to an unaffected version of Purity software.
By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]
By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]
By Flavio Costa, Chris Neal and Guilherme Venere. In a recent customer engagement, we observed a month-long AvosLocker campaign. The attackers utilized several different tools, including Cobalt Strike, Sliver and multiple commercial network scanners. The initial ingress point in this incident was... [[ This is only the beginning! Please visit the blog for the complete entry ]]
Versions of the Amazon AWS Apache Log4j hotpatch package before log4j-cve-2021-44228-hotpatch-1.3.5 are affected by a race condition that could lead to a local privilege escalation. This Hotpatch package is not a replacement for updating to a log4j version that mitigates CVE-2021-44228 or CVE-2021-45046; it provides a temporary mitigation to CVE-2021-44228 by hotpatching the local Java virtual machines. To do so, it iterates through all running Java processes, performs several checks, and executes the Java virtual machine with the same permissions and capabilities as the running process to load the hotpatch. A local user could cause the hotpatch script to execute a binary with elevated privileges by running a custom java process that performs exec() of an SUID binary after the hotpatch has observed the process path and before it has observed its effective user ID.
An infinite loop in OPC UA .NET Standard Stack 1.04.368 allows a remote attackers to cause the application to hang via a crafted message.
A Denial of Service flaw was discovered in Elasticsearch. Using this vulnerability, an unauthenticated attacker could forcibly shut down an Elasticsearch node with a specifically formatted network request.
Dell PowerStore versions 2.0.0.x, 2.0.1.x and 2.1.0.x contains an open port vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to information disclosure and arbitrary code execution.
EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.
Calibre-Web before 0.6.18 allows user table SQL Injection.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
Mitel 6800 and 6900 Series SIP phone devices through 2022-04-27 have "undocumented functionality." A vulnerability in Mitel 6800 Series and 6900 Series SIP phones excluding 6970, versions 5.1 SP8 (5.1.0.8016) and earlier, and 6.0 (6.0.0.368) through 6.1 HF4 (6.1.0.165), could allow a unauthenticated attacker with physical access to the phone to gain root access due to insufficient access control for test functionality during system startup. A successful exploit could allow access to sensitive information and code execution.
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
An Improper Input Validation vulnerability in DataImportHandler of Apache Solr allows an attacker to provide a Windows UNC path resulting in an SMB network call being made from the Solr host to another host on the network. If the attacker has wider access to the network, this may lead to SMB attacks, which may result in: * The exfiltration of sensitive data such as OS user hashes (NTLM/LM hashes), * In case of misconfigured systems, SMB Relay Attacks which can lead to user impersonation on SMB Shares or, in a worse-case scenario, Remote Code Execution This issue affects all Apache Solr versions prior to 8.11.1. This issue only affects Windows.
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Published on: 2021 Dec 11, updated 2022 Apr 6. SUMMARY SUMMARY Microsoft continues our analysis of the remote code execution vulnerabilities related to Apache Log4j (a logging tool used in many Java-based applications) disclosed on 9 Dec 2021. Currently, Microsoft is not aware of any impact, outside of the initial disclosure involving Minecraft: Java Edition, to the security of our enterprise services and has not experienced any degradation in availability of those services as a result of this vulnerability.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware.
Improper Access Control vulnerability in web service of Secomea SiteManager allows local attacker without credentials to gather network information and configuration of the SiteManager. This issue affects: Secomea SiteManager All versions prior to 9.5 on Hardware.
An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.