Security Update - Fix available for a privilege escalation vulnerability

Security Update - Fix available for a privilege escalation vulnerability

Hello all!

This notification is in regard to an elevation of privilege vulnerability (CVE-2022-23863) that was recently identified and fixed in Desktop Central and Desktop Central MSP. Please find the details and mitigation steps below.

Vulnerability details:

A privilege escalation vulnerability that may allow an authenticated user to change passwords of a more privileged account. (CVE-2022-23863)

Mitigation details:

The fix for this vulnerability was released on January 25, 2022, in build 10.1.2137.10. Follow the below steps to mitigate this vulnerability:

If you are on build 10.1.2137.9:

If you just upgraded to build 10.1.2137.9 that was released on January 17, 2022, we understand that performing another build upgrade might be tedious for you. Hence, we have generated a quick fix for you to avoid the discomfort of consecutive PPM upgrades. This quick fix is a QPM upgrade which is quicker and easier than a PPM upgrade. However, the quick fix is optional, you can directly upgrade to the latest version using PPM also. Be it a QPM upgrade or PPM upgrade, either way, you will move to the latest version of Desktop Central/Desktop Central MSP. Check out the necessary documents at the bottom of this post.

Quick fix for Desktop Central 10.1.2137.9: Download
Quick fix for Desktop Central MSP 10.1.2137.9: Download

Note: If you are not on build 10.1.2137.9, this quick fix will not work for you.

For other builds:

Please upgrade to the latest version using PPM, as normally done, to mitigate this vulnerability. You can download the latest build from the service pack pages or visit the KB documents below.

Documents to refer:

Desktop Central -
KB document (With FAQs)
Desktop Central MSP -
KB document (With FAQs)

Rest assured that we continuously strive to take appropriate security measures and adapt to relevant security controls in our products. If you need any further assistance, our support team is always ready to help. Please reach out to us at:

Regards,
The ManageEngine Team.

                New to ADSelfService Plus?