Unauthenticated File/Directory Creation Vulnerability in ManageEngine OpManager, Network Configuration Manager, NetFlow Analyzer and Firewall Analyzer

Severity: Medium

CVE ID: CVE-2022-35404

Product name
Affected version(s)
Fixed version(s)
Fixed on
OpManager
125664 and below
125639 / 125655 / 126101
24-06-2022
Network Configuration Manager
125664 and below
125639 / 125655 / 126101
24-06-2022
NetFlow Analyzer
125664 and below
125639 / 125655 / 126101
24-06-2022
Firewall Analyzer
125664 and below
125639 / 125655 / 126101
24-06-2022

Details:
Unauthenticated creation of multiple arbitrary files and directories led to high resource consumption. This has been fixed now.

This issue has been fixed by introducing validation checks under our server side source code. These checks will validate the param with respective patterns before initiating a session.

Impact:
Due to huge number of file/ directory creation, there was a possibility of high resource consumption that might compromise the availability of network resources.

Steps to upgrade:

  1. Download the latest upgrade pack from the following links for the respective products:
  2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Source and Acknowledgements

This vulnerability was reported by Tenable. Find out more about CVE-2022-35404 from the CVE dictionary.

Kindly contact the respective product support teams for further details at the below mentioned email addresses:

Video Zone
OpManager Customer Videos
Altaleb Alshenqiti - Ministry of National Guard - Health Affairs
  
  •  IT Admin from "Royal flying doctor service", Australia
     Jonathan ManageEngine Customer
  •  Michael - Network & Tech, ManageEngine Customer
     Altaleb Alshenqiti - Ministry of National Guard - Health Affairs
  •  David Tremont, Associate Directory of Infrastructure,USA
     Todd Haverstock Administrative Director
  •  Donald Stewart, IT Manager from Crest Industries
     John Rosser, MIS Manager - Yale Chase Equipment & Services
 Pricing  Get Quote