ManageEngine security advisory—Important security fix released for ManageEngine PAM360
This is to let you know that a critical security vulnerability issue was detected in ManageEngine PAM360, and it has now been fixed.
CVE-2022-29081 affects customers of ManageEngine PAM360 using version 4001 to 5400. An adversary can exploit this vulnerability to bypass security checks in specific RESTAPI URLs and gain unauthorized access to the application.
This vulnerability allows an adversary to invoke the following operations in PAM360:
- Restart the service
- Access dashboard details
- Apply a product license and get existing license details
- Create new server certificates
- Create/download server CSR, and apply server certificates
- Fetch event logs, and set up synchronization schedules
In addition to the aforementioned actions, the vulnerability also allows adversaries to terminate active RDP sessions, launched via ManageEngine ServiceDesk Plus, on PAM360.
Please note: This vulnerability does not expose any of the privileged account information, credentials and passwords stored in the password vault of the product.
What should the customers do?
The latest version of PAM360 holds the recommended mitigation targeting the vulnerability. We recommend users to upgrade to the latest build of PAM360, which can be downloaded here
Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above link.
Important note: We strongly recommend you take a backup of your entire PAM360, installation folder before the upgrade, and keep the copy in a separate location. This helps you prevent any accidental loss of data, and will keep all your settings intact. If you're using an MS SQL server as the back-end database, backup the PAM360 database as well before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
If you have any questions or concerns, please contact the product support for further details at firstname.lastname@example.org.
We express our sincerest apologies for any inconvenience this might have caused.