How to fix the unauthenticated product integration vulnerability

How to fix the unauthenticated product integration vulnerability


Hello Everyone,

We wanted to let you know that a security vulnerability was detected in ADSelfService Plus and we have fixed it. This article explains how you can fix this issue.

What is the issue?
ADSelfService Plus had a vulnerable endpoint which allowed a user to integrate ADSelfService Plus with any other supported ManageEngine product, bypassing authentication.

Which version of ADSelfService Plus is affected?
All ADSelfService Plus builds below 5817 are affected.

What is the severity level of the vulnerability?
This is a critical issue. As this vulnerability could be exploited without authentication, from any publicly exposed ADSelfService Plus installation, the risks posed could be critical.

How do I fix this issue?

For build 5816:
  1. Shutdown ADSelfService Plus.
  2. Download the ManageEngineADSFrameworkJava ZIP file from this location. You will find a ManageEngineADSFrameworkJava.jar file when you extract the ZIP file.
  3. Go to <installation_dir>/lib (by default: C:\ManageEngine\ADSelfService Plus\lib) and replace the ManageEngineADSFrameworkJava.jar file with the JAR file downloaded in the above step.
  4. Start ADSelfService Plus.
For build 5815:
  1. Shutdown ADSelfService Plus.
  2. Download the ManageEngineADSFrameworkJava ZIP file from this location. You will find a ManageEngineADSFrameworkJava.jar file when you extract the ZIP file.
  3. Go to <installation_dir>/lib (by default: C:\ManageEngine\ADSelfService Plus\lib) and replace the ManageEngineADSFrameworkJava.jar file with the JAR file downloaded in the above step.
  4. Start ADSelfService Plus.
For build 5814 and lower:
  1. Shutdown ADSelfService Plus.
  2. Update ADSelfService Plus to 5815, using the service pack.
  3. Download the ManageEngineADSFrameworkJava.jar file from this location.
  4. Go to <installation_dir>/lib (by default: C:\ManageEngine\ADSelfService Plus\lib) and replace the ManageEngineADSFrameworkJava.jar file with the JAR file downloaded in the above step.
  5. Start ADSelfService Plus.

If you need further information, have any questions, or face any difficulties performing the recommended steps, please get in touch with us at support@adselfserviceplus.com, or 1-888-720-9500 (toll free)