Security advisory for remote code execution vulnerability in multiple ManageEngine products

Severity : Critical

CVE ID : CVE-2022-47966

Details :
This advisory addresses an unauthenticated remote code execution vulnerability reported and patched in the following ManageEngine OnPremise products due to the usage of an outdated third party dependency, Apache Santuario.
ManageEngine On-Demand/cloud products are not affected by this vulnerability.

Applicability :
This advisory is applicable only when SAML SSO is/was enabled in the ManageEngine setup.

Product Name Impacted Version(s) Fixed Version(s) Released On
Access Manager Plus* 4307 and below 4308 7/11/2022
Active Directory 360** 4309 and below 4310 28/10/2022
ADAudit Plus** 7080 and below 7081 28/10/2022
ADManager Plus** 7161 and below 7162 28/10/2022
ADSelfService Plus** 6210 and below 6211 28/10/2022
Analytics Plus* 5140 and below 5150 7/11/2022
Application Control Plus* 10.1.2220.17 and below 10.1.2220.18 28/10/2022
Asset Explorer** 6982 and below 6983 27/10/2022
Browser Security Plus* 11.1.2238.5 and below 11.1.2238.6 28/10/2022
Device Control Plus* 10.1.2220.17 and below 10.1.2220.18 28/10/2022
Endpoint Central* 10.1.2228.10 and below 10.1.2228.11 28/10/2022
Endpoint Central MSP* 10.1.2228.10 and below 10.1.2228.11 28/10/2022
Endpoint DLP* 10.1.2137.5 and below 10.1.2137.6 28/10/2022
Key Manager Plus* 6400 and below 6401 27/10/2022
OS Deployer* 1.1.2243.0 and below 1.1.2243.1 28/10/2022
PAM 360* 5712 and below 5713 7/11/2022
Password Manager Pro* 12123 and below 12124 7/11/2022
Patch Manager Plus* 10.1.2220.17 and below 10.1.2220.18 28/10/2022
Remote Access Plus* 10.1.2228.10 and below 10.1.2228.11 28/10/2022
Remote Monitoring and Management (RMM)* 10.1.40 and below 10.1.41 29/10/2022
ServiceDesk Plus** 14003 and below 14004 27/10/2022
ServiceDesk Plus MSP** 13000 and below 13001 27/10/2022
SupportCenter Plus** 11017 to 11025 11026 28/10/2022
Vulnerability Manager Plus* 10.1.2220.17 and below 10.1.2220.18 28/10/2022

* - Applicable only if configured SAML-based SSO and it is currently active.

** - Applicable only if configured SAML-based SSO at least once in the past, regardless of the current SAML-based SSO status.

Impact:

This vulnerability allows an unauthenticated adversary to execute arbitrary code when the above SAML SSO criteria is met.

Fix:

This issue has been fixed by updating the third party module to the recent version.

Acknowledgements:

This vulnerability was reported by Khoadha of Viettel Cyber Security through our Bug Bounty program.

Please contact our product support or security@manageengine.com if you need any further assistance.