The security advisory addresses an authentication bypass vulnerability identified in the product, ManageEngine Access Manager Plus versions up to 4202(CVE-2021-44676). Given the severity of this vulnerability, we strongly urge all customers using Access Manager Plus (all editions) with versions up to 4202 to upgrade to the latest version immediately.
CVE-2021-44676 affects customers of the all editions of ManageEngine Access Manager Plus, and can allow adversaries to gain unauthorized access to the application and invoke actions, through a few specific application URLs.
An adversary can exploit this vulnerability by manipulating the request URLs that allow them to perform administrative actions in the product. Major actions include:
Getting access control details
Terminating auto-logon sessions
This vulnerability does not expose any of the privileged account information, credentials and passwords stored in the product.
What led to the vulnerability?
One of the application filters used for handling state in the list view was not configured properly, and a crafted URL using this filter would enable an authenticated servlet to be accessed without proper authentication. APIs and other URL calls are not affected.
Who is affected?
This vulnerability affects ManageEngine Access Manager Plus customers using versions up to 4202 in all editions.
How have we fixed it?
We have added additional checks to ensure the filters are properly configured to avoid the authentication bypass vulnerability.
How to find if your current version is vulnerable?
Click the My Profile icon in the top-right corner of the Access Manager Plus web client, and select About from the drop-down to see your current version. If your current version (all editions) is 4202 and below, your installation is vulnerable.
Please follow this forum post for any further updates regarding this vulnerability.
What customers should do
The Access Manager Plus build 4203, released on 04/12/2021, holds the recommended mitigation targeting the vulnerability. We recommend users in build 4202 or earlier upgrade to Access Manager Plus build 4203.
You can download the latest upgrade pack here.
Important note: We strongly recommend you take a backup of your entire Access Manager Plus installation folder before the upgrade, and keep the copy in a separate location. This helps you prevent any accidental loss of data, and will keep all your settings intact. If you're using an MS SQL server as the back-end database, back up the Access Manager Plus database as well before upgrading.Once the upgrade is successfully completed, remember to delete the backup.
We express our sincerest apologies for any inconvenience this might have caused. If you have any questions or concerns, please reach out to us at firstname.lastname@example.org.