ManageEngine PAM360, Password Manager Pro, and Access Manager Plus remote code execution vulnerability

Severity : Critical

CVE ID : CVE-2022-35405

This document explains the remote code execution vulnerability identified in the following ManageEngine products,

Unauthenticated remote code execution in ManageEngine Password Manager Pro and PAM360.
Authenticated remote code execution in ManageEngine Access Manager Plus.

The complete fix for this is now available in the below versions,

Product Name	Affected Version(s)	Fixed Version(s)	Fixed On
Access Manager Plus	4302 and below	4303	24-06-2022
Password Manager Pro	12100 and below	12101	24-06-2022
PAM360	5500 and below	5510	23-06-2022

Impact :
This remote code execution vulnerability could allow remote attackers to execute arbitrary code on affected installations of Password Manager Pro, PAM360 and Access Manager Plus. Authentication is not required to exploit this vulnerability in Password Manager Pro and PAM360 products.

We have fixed this vulnerability,

By completely removing the vulnerable components from PAM360 and Access Manager Plus.
By removing the vulnerable parser from Password Manager Pro.

Caution :
The exploit POC for the above vulnerability is available in public. We strongly recommend our customers to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus immediately.

How to find out if your current installation is impacted?

To verify if your installation is affected, please take the following steps:

Navigate to <PMP/PAM360/AMP_Installation_Directory>/logs
Open the access_log_<Date>.txt file
Search for the keyword /xmlrpc POST in the text file. If this keyword is not found, your environment is not affected. If it is present, then proceed to the next step.
Search for the following line in the logs files. If it is present, then your installation is compromised:
[/xmlrpc-<RandomNumbers>_###_https-jsse-nio2-<YourInstallationPort>-exec-<RandomNumber>] ERROR org.apache.xmlrpc.server.XmlRpcErrorLogger - InvocationTargetException: java.lang.reflect.InvocationTargetException

What you should do if your machine has been compromised

Disconnect and isolate the compromised machine.
Create a zip file containing all the application logs, and send them to us at the product support email addresses mentioned below.

Steps to Upgrade:

Download the latest upgrade pack from the following links for the respective product:
- PAM360 - https://www.manageengine.com/privileged-access-management/upgradepack.html
- Password Manager Pro - https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
- Access Manager Plus - https://www.manageengine.com/privileged-session-management/upgradepack.html
Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Acknowledgements:

Reported by Vinicius.

Please contact the product support for further details at the below mentioned email addresses:

Password Manager Pro: passwordmanagerpro-support@manageengine.com

Access Manager Plus: accessmanagerplus-support@manageengine.com

PAM360: pam360-support@manageengine.com