[Security advisory] Important fix released for ITSM products

Hey there !

A critical security vulnerability issue was reported in ServiceDesk Plus, ServiceDesk Plus MSP, AssetExplorer, and SupportCenter Plus in late October, and has been addressed on October 27th, 2022.

We had earlier communicated the security advisory and the need to upgrade to all customers, on October 31st, 2022 and followed it up with a reminder on November 21st, 2022. This is a public post addressing the same issue.

Issue description:

By sending a specially crafted malformed request under specific circumstances, a remote attacker could cause unauthenticated remote code execution due to usage of a vulnerable third party library in the affected server. The library has now been updated to a safer version.

Version details:

Product Name	Affected Version(s)	Fixed Version(s)	Fixed On
ServiceDesk Plus	14000 series 13000 series 12000 series 11300 series	14004 and above 13012 12009 11315	27th October, 2022
ServiceDesk Plus MSP	13000 series 10600 series 10500 series	13001 10610 10538	27th October, 2022
AssetExplorer	6970 series 6950 series 6900 series	6983 and above 6958 6911	27th October, 2022
SupportCenter Plus	11000 series	11026	28th October, 2022

This advisory is applicable only if you had configured SAML-based SSO at least once in the past, regardless of your current SAML-based SSO status.

If you're using ManageEngine's unified agent from EndPoint Central for asset discovery, we recommend that you upgrade to the latest version of EndPoint Central 10.1.2220.18.

You can upgrade the applications using the relevant links below:

ServiceDesk Plus

AssetExplorer

Severity:

ManageEngine rates the severity level of this vulnerability as Critical.

What should the customer do?

ManageEngine recommends that you upgrade ServiceDesk Plus, ServiceDesk Plus MSP, AssetExplorer, and SupportCenter Plus, to the latest version immediately.