Authentication Bypass - CVE-2022-36923

Severity: Critical

CVE ID: CVE-2022-36923

Details:

The lack of proper request handling mechanism had resulted in unauthenticated access of the user API key. This has been fixed now.

Impact:

Anyone can retrieve the API key of a valid user without authentication and can access the external APIs.

Steps to upgrade:

1. Kindly download the latest upgrade pack from the following links for the respective products:
   • OpManager: https://www.manageengine.com/network-monitoring/service-packs.html
   • OpManager Plus: https://www.manageengine.com/it-operations-management/service-packs.html
   • OpManager MSP: https://www.manageengine.com/network-monitoring-msp/service-packs.html
   • Network Configuration Manager: https://www.manageengine.com/network-configuration-manager/upgradepack.html
   • NetFlow Analyzer: https://www.manageengine.com/products/netflow/service-packs.html
   • Firewall Analyzer: https://www.manageengine.com/products/firewall/service-packs.html
   • OpUtils: https://www.manageengine.com/products/oputils/service-packs.html
2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Important steps to follow post product upgrade: It is highly advisable to regenerate the APIKey for all the users once after the upgrade. To regenerate an API key, click on the Personalize/Quick settings (near user icon) icon, select the 'Rest API key' tab and click on the 'Regenerate Key' option.

Kindly contact the respective product support teams for further details at the below mentioned email addresses:

• OpManager: opmanager-support@manageengine.com
• OpManager Plus: opmanagerplus-support@manageengine.com
• OpManager MSP: msp-opmanager-support@manageengine.com
• Network Configuration Manager: ncm-support@manageengine.com
• NetFlow Analyzer: netflowanalyzer-support@manageengine.com
• FireWall Analyzer: fwanalyzer-support@manageengine.com