How to identify and mitigate the unauthenticated product integration vulnerability

Some versions of ADSelfService Plus have the unauthenticated change to integration system vulnerability. This article explains how you can identify if your ADSelfService Plus installation is affected, and fix it. It also offers the mitigation steps to protect your installation in case it is not affected.

What is the issue?

ADSelfService Plus had a vulnerable endpoint which allowed a user to integrate ADSelfService Plus with any other supported ManageEngine product, bypassing authentication. This could lead to data leak.

Which version of ADSelfService Plus is affected?

All ADSelfService Plus builds below 5817 are affected.

What is the severity level of the vulnerability?

This is a critical issue. As this vulnerability could be exploited without authentication, from any publicly exposed ADSelfService Plus installation, the risks posed could be critical.

How do I fix this issue?

• Refer to this forum post and follow the steps mentioned in it based on your build to fix this issue.

What should I do to protect ADSelfService Plus if, for some reason, I can't update?

We recommend that you follow the steps mentioned in this forum post. If, for any reason, you cannot do that, perform the following mitigation steps.

1. Stop ADSelfService Plus.
2. Remove or comment the following content from the file web.xml in the path \webapps\adssp\WEB-INF\web.xml.
   <!-- servlet-mapping>
   <servlet-name>UpdateProductDetails</servlet-name>
   <url-pattern>/servlet/UpdateProductDetails</url-pattern>
   </servlet-mapping>
   
   <servlet-mapping>
   <servlet-name>HSKeyAuthenticator</servlet-name>
   <url-pattern>/servlet/HSKeyAuthenticator</url-pattern>
   </servlet-mapping>
   
   <servlet>
   <servlet-name>HSKeyAuthenticator</servlet-name>
   <servlet-class>com.manageengine.ads.fw.servlet.HSKeyAuthenticator</servlet-class>
   </servlet>
   
   <servlet>
   <servlet-name>UpdateProductDetails</servlet-name>
   <servlet-class>com.manageengine.ads.fw.servlet.UpdateProductDetails</servlet-class>
   </servlet>-->

   Note: Deleting or commenting these will disable the data synchronization and flow of data with the integrated products.

3. Restart ADSelfService Plus.

If you need further information, have any questions, or face any difficulties upgrading or performing the recommended steps, please get in touch with us at support@adselfserviceplus.com, or 1-888-720-9500 (toll free).