Vulnerabilities in OpManager 12.0

Vulnerabilities in OpManager 12.0

VULNERABILITY DETAILS(found in build 12000)

Vulnerability 1:

Unrestricted File Upload: 

OpManager fails to validate or improperly validates files before uploading to the system. As a result an attacker might be able to upload arbitrary JSP file and execute it by directly accessing the uploaded file. 

Vulnerability 2:

Cross-Site Scripting:
 
OpManager suffers from a stored XSS vulnerability. Input passed through "post" parameter in group chat is not sanitized, allowing the attacker to execute HTML code in the user's browser session. 

Vulnerability 3:

Cross-Site Request Forgery:

The vulnerability exists because OpManager fails to implement anti-csrf token while performing certain actions. The Cross-Site Request Forgery vulnerability enables an unprivileged attacker to add or delete OpManager’s administrator accounts.

You can check full details of these vulnerabilities in the attached pdf.

Fix:

Steps to Apply the 12200 Issues Fixed Update Patch on 12200 Windows Installation.

1. Download the   12200FixesPatch.zip   file from below url  and save it under /OpManager
2. Stop OpManager Service.
3. Rename Old /OpManager/12200FixesUpdate folder if exists.
4. Rename Old /OpManager/logs folder and recreate new /OpManager/logs folder 
5. Now extract the downloaded 12200FixesPatch.zip directly under /OpManager directory using 'Extract Here' and make sure subfolder /OpManager/12200FixesUpdate exists.
6. Download and execute this batch file 12200IssuesUpdt_Dec22.bat file by saving it under /OpManager
7. Start the OpManager Service & Clear the browser Cookie and try.