Serious two-year old bug bites ManageEngine

By

Unauthenticated attackers can run arbitrary code remotely.

A security researcher has discovered serious vulnerabilities in ManageEngine's Password Manager Pro, PAM360 and Access Manager Plus, which could be exploited to run malicious code remotely without authentication.

Serious two-year old bug bites ManageEngine

Alvaro Muñoz, who works as a security researcher at open source code repository Github, found that the ManageEngine components were vulnerable to a 2020 bug, which allows for unsafe deserialisation of XMLRPC arguments in the Apache OfBiz enterprise resource planning system.

The Open Web Application Security Project (OWASP) explains deserialisation as "taking data structured from some format, and rebuilding it into an object". 

Deserialisation has been the cause of several serious vulnerabilities recently, such as the Log4J logging bug.

Muñoz has published proof-of-concept code for the vulnerability, using the ysoserial tool to generate payloads that exploit unsafe Java object deseralisation.

ManageEngine is enterprise management software that's widely used in almost 200 countries, with nearly 280,000 installations.

The bug does not appear to have been exploited in the wild, and ManageEngine patched the vulnerability in June this year.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
apachegithubjavamanageenginesecurity

Sponsored Whitepapers

Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
Futureproof Your Business with Datacom and AMD: Seamless Windows 11 Transition
See everything. Do more.
See everything. Do more.
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Lindentech Secures Digital Identity with Zero Trust and Microsoft Entra
Diamond IT Delivers GRC Transformation with Microsoft Purview
Diamond IT Delivers GRC Transformation with Microsoft Purview
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks
Linktech Powers Energy Trader’s Essential Eight Compliance in Just Eight Weeks

Events

Most Read Articles

Woolworths' CSO is Optus-bound

Woolworths' CSO is Optus-bound
Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls
Hackers abuse modified Salesforce app to steal data, extort companies

Hackers abuse modified Salesforce app to steal data, extort companies
The Northern Beaches Women's Shelter hones focus on tech-enabled abuse

The Northern Beaches Women's Shelter hones focus on tech-enabled abuse
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?