Security warning received
Hi,
We received a warning of a vulnerability with SD+ 9328 and earlier. Is this genuine and should we seek to upgrade immediately? Note, email content below:
Hi,
This is a security advisory for ServiceDesk Plus customers using versions 9328 or earlier. You are advised to upgrade to the latest version 9400 to fix the security vulnerability described below.
Issue & Description: ServiceDesk Plus had a vulnerability through which it was possible to upload files using an unauthenticated servlet. This was identified and disclosed by Digital Defense, provider of security risk assessment solutions. Please refer to the public disclosure in www.digitaldefense.com published on January 30th, 2018 for details.
Severity: Very High
Affects: ServiceDesk Plus customers using versions 9328 or earlier
Background: Digital Defense responsibly disclosed the vulnerability to ManageEngine in November, 2017. As part of our vulnerability handling and security response mechanism, our security and development teams got in touch with them and gathered information. We accorded the highest priority and fixed the issue in the ServiceDesk Plus upgrade pack 9333, released on January 2nd, 2018.
Next Steps: Download the upgrade pack and immediately upgrade to the latest version 9400. Please read the upgrade instructions carefully before the upgrade. For any assistance write to support@servicedeskplus.com or call our toll free number +1 888 720 9500.
Important Note: As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade pack and keep the copy in some other location. If something goes wrong with the ServiceDesk Plus upgrade, you can rely on the copy. All your settings will remain intact. Additionally, if you are using MS SQL server as back-end database, make a backup of the ServiceDesk Plus database before applying the upgrade pack. Once the upgrade is successful in all respects, remember to delete the backup.
We earnestly apologize for the inconvenience caused.
Thanks,
Umasankar
(ManageEngine ServiceDesk Plus)
We received a warning of a vulnerability with SD+ 9328 and earlier. Is this genuine and should we seek to upgrade immediately? Note, email content below:
Hi,
This is a security advisory for ServiceDesk Plus customers using versions 9328 or earlier. You are advised to upgrade to the latest version 9400 to fix the security vulnerability described below.
Issue & Description: ServiceDesk Plus had a vulnerability through which it was possible to upload files using an unauthenticated servlet. This was identified and disclosed by Digital Defense, provider of security risk assessment solutions. Please refer to the public disclosure in www.digitaldefense.com published on January 30th, 2018 for details.
Severity: Very High
Affects: ServiceDesk Plus customers using versions 9328 or earlier
Background: Digital Defense responsibly disclosed the vulnerability to ManageEngine in November, 2017. As part of our vulnerability handling and security response mechanism, our security and development teams got in touch with them and gathered information. We accorded the highest priority and fixed the issue in the ServiceDesk Plus upgrade pack 9333, released on January 2nd, 2018.
Next Steps: Download the upgrade pack and immediately upgrade to the latest version 9400. Please read the upgrade instructions carefully before the upgrade. For any assistance write to support@servicedeskplus.com or call our toll free number +1 888 720 9500.
Important Note: As always, make a copy of the entire ServiceDesk Plus installation folder before applying the upgrade pack and keep the copy in some other location. If something goes wrong with the ServiceDesk Plus upgrade, you can rely on the copy. All your settings will remain intact. Additionally, if you are using MS SQL server as back-end database, make a backup of the ServiceDesk Plus database before applying the upgrade pack. Once the upgrade is successful in all respects, remember to delete the backup.
We earnestly apologize for the inconvenience caused.
Thanks,
Umasankar
(ManageEngine ServiceDesk Plus)