Security Vulnerability issues fixed. Upgrade to the latest version of Applications Manager

This is a security advisory for Applications Manager customers using versions older than 13640. Our latest release addresses vulnerabilities that could allow unauthenticated blind SQL injection attacks and unauthenticated remote code execution. Customers using Version 13640 and above already have protection from the disclosed vulnerabilities.

Security Vulnerability Issue fixes

Unauthenticated SQL Injection Vulnerability issue in the JSON Feed is fixed.
CVE-2018-7890: Unauthenticated remote code execution vulnerability issue is fixed.
Unauthenticated SQL Injection Vulnerability issue via AMUserResourcesSync Servlet is fixed.
SQL Injection Vulnerability issue via the Agent servlet is fixed.

Affected users

Customers using 13630 or older versions

How can you overcome this?

All you have to do is this: Download and install the appropriate service pack(s) for our latest release upgrade if you are using an older version of Applications Manager. We strongly recommend you to please make sure you’ve read our upgrade guide (attached) and followed the instructions to apply the service pack carefully before beginning your upgrade. And as always, our support team is here to help you along the way - write to appmanager-support@manageengine.com or call us toll-free at +1-888-720-9500

Important note: Make a copy of the entire Applications Manager installation folder before applying the upgrade and keep the copy in a separate location. If issues occur during the upgrade, you'll have the copy as backup, keeping your settings intact. If you're using a MS SQL server as a back-end database, back up the database before upgrading.

We apologize for the inconvenience this may have caused.