Headline
CVE-2022-36923: Security Updates - CVE-2022-36923 | ManageEngine OpManager
Zoho ManageEngine OpManager, OpManager Plus, OpManager MSP, Network Configuration Manager, NetFlow Analyzer, Firewall Analyzer, and OpUtils before 2022-07-27 through 2022-07-28 (125657, 126002, 126104, and 126118) allow unauthenticated attackers to obtain a user’s API key, and then access external APIs.
Authentication Bypass - CVE-2022-36923
Severity: Critical
CVE ID: CVE-2022-36923
Product name
Affected Version(s)
Fixed Version(s)
Fixed On
OpManager
OpManager Plus
OpManager MSP
Network Configuration Manager
NetFlow Analyzer
Firewall Analyzer
OpUtils
Customers with builds between 126113 and 126117
126118
27-07-2022
Customers with builds between 126100 and 126103
126104
28-07-2022
Customers with builds 126000 and 126001
Customers with build 125664
126002
Customers with builds between 125450 and 125656
125657
Details:
The lack of proper request handling mechanism had resulted in unauthenticated access of the user API key. This has been fixed now.
Impact:
Anyone can retrieve the API key of a valid user without authentication and can access the external APIs.
Steps to upgrade:
- Kindly download the latest upgrade pack from the following links for the respective products:
- OpManager: https://www.manageengine.com/network-monitoring/service-packs.html
- OpManager Plus: https://www.manageengine.com/it-operations-management/service-packs.html
- OpManager MSP: https://www.manageengine.com/network-monitoring-msp/service-packs.html
- Network Configuration Manager: https://www.manageengine.com/network-configuration-manager/upgradepack.html
- NetFlow Analyzer: https://www.manageengine.com/products/netflow/service-packs.html
- Firewall Analyzer: https://www.manageengine.com/products/firewall/service-packs.html
- Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.
Important steps to follow post product upgrade: It is highly advisable to regenerate the APIKey for all the users once after the upgrade. To regenerate an API key, click on the Personalize/Quick settings (near user icon) icon, select the ‘Rest API key’ tab and click on the ‘Regenerate Key’ option.
Source and Acknowledgements
This vulnerability was reported by (Anonymous working with Trend Micro Zero Day Initiative). Find out more about CVE-2022-36923 from the CVE dictionary.
Kindly contact the respective product support teams for further details at the below mentioned email addresses:
- OpManager: [email protected]
- OpManager Plus: [email protected]
- OpManager MSP: [email protected]
- Network Configuration Manager: [email protected]
- NetFlow Analyzer: [email protected]
- FireWall Analyzer: [email protected]
- OpUtils [email protected]
Related news
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.
SolarWinds Platform was susceptible to the Deserialization of Untrusted Data. This vulnerability allows a remote adversary with Orion admin-level account access to SolarWinds Web Console to execute arbitrary commands.