This is to let you know that a critical security vulnerability issue was detected in ManageEngine Access Manager Plus, and it has now been fixed.
What is the issue?
CVE-2022-29081 affects customers of ManageEngine Access Manager Plus using version 4000 to 4301. An adversary can exploit this vulnerability to bypass security checks in specific RESTAPI URLs and gain unauthorized access to the application.
This vulnerability allows an adversary to invoke the following operations in Access Manager Plus:
- Restart the service
- Access dashboard details
- Apply a product license and get existing license details
- Create new server certificates
- Create/download server CSR, and apply server certificates
- Fetch event logs, and set up synchronization schedules
Please note: This vulnerability does not expose any of the privileged account information, credentials and passwords stored in the password vault of the products.
What should the customers do?
The latest version of Access Manager Plus holds the recommended mitigation targeting the vulnerability. We recommend users to upgrade to the latest build of Access Manager Plus, which can be downloaded here
Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above link
Important note: We strongly recommend you take a backup of your entire Access Manager Plus installation folder before the upgrade, and keep the copy in a separate location. This helps you prevent any accidental loss of data, and will keep all your settings intact. If you're using an MS SQL server as the back-end database, backup the Access Manager Plus database as well before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
We express our sincerest apologies for any inconvenience this might have caused.
ManageEngine Access Manager Plus