ManageEngine PAM360, Password Manager Pro, and Access Manager Plus remote code execution vulnerability

ManageEngine PAM360, Password Manager Pro, and Access Manager Plus remote code execution vulnerability

Severity : Critical

CVE ID : CVE-2022-35405

This document explains the remote code execution vulnerability identified in the following ManageEngine products,

  1. Unauthenticated remote code execution in ManageEngine Password Manager Pro and PAM360.
  2. Authenticated remote code execution in ManageEngine Access Manager Plus.

The complete fix for this is now available in the below versions,

Product Name Affected Version(s) Fixed Version(s) Fixed On
Access Manager Plus 4302 and below 4303 24-06-2022
Password Manager Pro 12100 and below 12101 24-06-2022
PAM360 5500 and below 5510 23-06-2022

Impact :
This remote code execution vulnerability could allow remote attackers to execute arbitrary code on affected installations of Password Manager Pro, PAM360 and Access Manager Plus. Authentication is not required to exploit this vulnerability in Password Manager Pro and PAM360 products.

We have fixed this vulnerability,

Caution :
The exploit POC for the above vulnerability is available in public. We strongly recommend our customers to upgrade the instances of Password Manager Pro, PAM360 and Access Manager Plus immediately.

How to find out if your current installation is impacted?

To verify if your installation is affected, please take the following steps:

  1. Navigate to <PMP/PAM360/AMP_Installation_Directory>/logs
  2. Open the access_log_<Date>.txt file
  3. Search for the keyword /xmlrpc POST in the text file. If this keyword is not found, your environment is not affected. If it is present, then proceed to the next step.
  4. Search for the following line in the logs files. If it is present, then your installation is compromised:
    [/xmlrpc-<RandomNumbers>_###_https-jsse-nio2-<YourInstallationPort>-exec-<RandomNumber>] ERROR org.apache.xmlrpc.server.XmlRpcErrorLogger - InvocationTargetException: java.lang.reflect.InvocationTargetException

What you should do if your machine has been compromised

  1. Disconnect and isolate the compromised machine.
  2. Create a zip file containing all the application logs, and send them to us at the product support email addresses mentioned below.

Steps to Upgrade:

  1. Download the latest upgrade pack from the following links for the respective product:
  2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Acknowledgements:

Reported by Vinicius.

Please contact the product support for further details at the below mentioned email addresses:

Password Manager Pro: passwordmanagerpro-support@manageengine.com

Access Manager Plus: accessmanagerplus-support@manageengine.com

PAM360: pam360-support@manageengine.com

Get
Quote
Technical Support Request Demo