An unauthenticated remote code execution (RCE) vulnerability (CVE-2021-44077) was identified in ManageEngine ServiceDesk Plus. This vulnerability affects ServiceDesk Plus (on-premises) customers of all editions using versions 11305 and below. We rate this vulnerability as critical and have noticed active exploitation of this vulnerability by cyberthreat actors. We strongly urge customers to upgrade to ServiceDesk Plus versions 11306 and above.
Please note that this vulnerability is not new but was already identified and addressed on September 16, 2021 in versions 11306 and above, and an advisory was published as well.
Read the advisory →Use the exploit detection tool to run a quick scan and discover any compromises in your installation. The tool checks for the presence of any indicators of compromise associated with the CVE-2021-44077 vulnerability and notifies you if your system is infected.
Download the tool & check if you are compromised →ManageEngine\ServiceDesk\logs
\ManageEngine\ServiceDesk\webapps\ROOT\WEB-INF
\ManageEngine\ServiceDesk\bin.
The scan tool checks for malicious files and entries in logs. At any given time, ServiceDesk Plus maintains only 50 log files and so your server compromise may not be detectable in the log files.
So, as a precautionary measure, please move your installation to a new server by following the procedure below.
Follow the steps below to move your ServiceDesk Plus installation to a new server.
pg_dump -U {user-name} -h {server} -p {port) servicedesk > {dumpfilename.sql}
Note: A backup will be created with the file name "dumpfilename.sql". Take a copy of this file to restore ServiceDesk Plus data.
Prerequisites for creating a backup:
\ManageEngine\ServiceDesk\fileAttachments
\ManageEngine\ServiceDesk\inlineimages
\ManageEngine\ServiceDesk\LuceneIndex
\ManageEngine\ServiceDesk\conf
\ManageEngine\ServiceDesk\custom
\ManageEngine\ServiceDesk\app_relationships
\ManageEngine\ServiceDesk\integration
\ManageEngine\ServiceDesk\archive
\ManageEngine\ServiceDesk\zreports
\ManageEngine\ServiceDesk\lib\AdventNetLicense.xml
\ManageEngine\ServiceDesk\ZIA\dataset
\ManageEngine\ServiceDesk\ImportResults
stopdb.bat 65432
Please feel free to contact our support team.
Write us to
support@servicedeskplus.com
Call us toll-free at
+1.888.720.9500.
This is an unauthenticated RCE vulnerability that was identified in the on-premises model of ServiceDesk Plus. It can allow an adversary to execute arbitrary code and carry out any subsequent attacks.
This vulnerability affects versions 11305 and below in the on-premises model of ServiceDesk Plus (all editions).
Click the Help link in the top-right corner of the ServiceDesk Plus web client, and select About from the drop-down to see your current version. If your current version (all editions) is 11305 and below, you might be affected.
You can also run the exploit detection tool above to verify if your installation has been compromised.
ManageEngine\ServiceDesk\logs
\ManageEngine\ServiceDesk\webapps\ROOT\WEB-INF
\ManageEngine\ServiceDesk\bin.
The scan tool checks for malicious files and entries in logs. At any given time, ServiceDesk Plus maintains only 50 log files and so your server compromise may not be detectable in the log files.
Further, please follow the steps mentioned above, to move your ServiceDesk Plus installation to the new server.
You can upgrade to the latest version (12001) using the appropriate migration path.
Click the Help link in the top-right corner of the ServiceDesk Plus web client, and select About from the drop-down to see your current version. If your current version (all editions) is 11305 and below, you might be affected.
We strongly recommend you upgrade to the latest version; however, if you are not able to do so, please follow the steps below to modify the web.xml and struts-config.xml files to mitigate the issue.
Step 1: Open the web.xml file from the following location: <sdp_home>/webapps/ROOT/WEB-INF/web.xml
Step 2: Replace the following lines
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>/RestAPI/*</url-pattern>
</servlet-mapping>
with the code below:
<servlet-mapping>
<servlet-name>action</servlet-name>
<url-pattern>/RestAPI/WC/TwoFactorAction</url-pattern>
<url-pattern>/RestAPI/TwoFactorAction</url-pattern>
<servlet-mapping>
Step 3: Open the struts-config.xml file from the following location: <sdp_home>/webapps/ROOT/WEB-INF/struts-config.xml
Step 4: Remove the following lines:
<form-bean name="ImportTechnicians" type="com.adventnet.servicedesk.setup.form.ImportTechniciansForm"/>
and
<action name="ImportTechnicians" path="/ImportTechnicians" scope="request" type="com.adventnet.servicedesk.setup.action.ImportTechniciansAction">
<forward name="GetInputFile" path="/setup/GetTechInputFile.jsp"/>
<forward name="ImportConfirmation" path="/setup/TechImportConfirmation.jsp"/>
<forward name="MapFields" path="/setup/TechMapFields.jsp"/>
</action>
Step 5: In the same struts-config.xml file, please modify the following lines:
<action path="/TwoFactorAction" ...
<action path="/WC/TwoFactorAction" .....
as shown below:
<action path="/RestAPI/TwoFactorAction" ...
<action path="/RestAPI/WC/TwoFactorAction" ...
Step 6: Restart the system for the changes in the web.xml and struts-config.xml files to take effect.
These modifications to web.xml and struts-config.xml should mitigate the issue.
The vulnerability has been addressed by fixing the security configuration process in ServiceDesk Plus versions 11306 and above. You can upgrade to the latest version (12001) using the appropriate migration path.
We've put together this dedicated webpage to keep you up-to-date on the latest updates from our side, the technicalities of the vulnerability, our incident response plan, and recommended actions.