This is a security advisory for Applications Manager customers using versions 13610 or older. Applications Manager Version 13620 addresses vulnerabilities that could allow unauthenticated blind SQL injection attacks, potentially revealing sensitive information or full compromise of the application.

Security Vulnerability Issue fixes

1. Issue of unauthenticated blind SQL injection:

Vulnerability: Unauthenticated blind SQL injection via /servlet/aam_servercmd (DDI-VRT-2018-11), /servlet/SyncEventServlet (DDI-VRT-2018-12) and/servlet/MenuHandlerServlet (DDI-VRT-2018-14).

Impact: Full compromise of the Applications Manager application which can be leveraged to execute arbitrary code as SYSTEM when running on Windows, resulting in full host compromise.

2. Issue of sensitive information disclosure

Vulnerability: DDI-VRT-2018-13 - Unauthenticated Local File Inclusion via /servlet/FailOverHelperServlet

Impact: Sensitive information disclosure

3. Issue of API Key disclosure via /servlet/OPMRequestHandlerServlet

Vulnerability: DDI-VRT-2018-15 - Unauthenticated API Key Disclosure via /servlet/OPMRequestHandlerServlet.

Impact: Full compromise of the Applications Manager application which can be leveraged to execute arbitrary code as SYSTEM when running on Windows, resulting in full host compromise.

Affected users

How can you overcome this?

All you have to do is  download and install the appropriate service pack(s) for our latest release upgrade  if you are using an older version of Applications Manager. We strongly recommend you to please make sure you’ve read our upgrade guide carefully before beginning your upgrade (upgrade guide attached). And as always, our support team is here to help you along the way!