Security Updates - CVE-2022-38772 | ManageEngine OpManager

Remote Code Execution - CVE-2022-38772

Severity: High

CVE ID: CVE-2022-38772

Product name	Affected Version(s)	Fixed Version(s)	Fixed On
OpManager OpManager Plus OpManager MSP Network Configuration Manager NetFlow Analyzer OpUtils	Customers with builds between 126113 and 126119	126120	29-07-2022
	Customers with builds between 126100 and 126104	126105	30-07-2022
	Customers with builds 126000 and 126002	126105
	Customers with build 125664	126003
	Customers with builds between 125450 and 125657	125658

Details:

Earlier, there was a Remote Code Execution (RCE) vulnerability in IPv4 address management reported by an anonymous working with Trend Micro Zero Day Initiative. This has been fixed now.

Impact:

Any authenticated user can carry out changes to the database and perform RCE using it.

Steps to upgrade:

Kindly download the latest upgrade pack from the following links for the respective products:
- OpManager: https://www.manageengine.com/network-monitoring/service-packs.html
- OpManager Plus: https://www.manageengine.com/it-operations-management/service-packs.html
- OpManager MSP: https://www.manageengine.com/network-monitoring-msp/service-packs.html
- Network Configuration Manager: https://www.manageengine.com/network-configuration-manager/upgradepack.html
- NetFlow Analyzer: https://www.manageengine.com/products/netflow/service-packs.html
- OpUtils: https://www.manageengine.com/products/oputils/service-packs.html
Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above links.

Source and Acknowledgements

This vulnerability was reported by an anonymous working with Trend Micro Zero Day Initiative. Find out more about CVE-2022-38772 from the CVE dictionary.

Kindly contact the respective product support teams for further details at the below mentioned email addresses:

OpManager: opmanager-support@manageengine.com
OpManager Plus: opmanagerplus-support@manageengine.com
OpManager MSP: msp-opmanager-support@manageengine.com
Network Configuration Manager: ncm-support@manageengine.com
NetFlow Analyzer: netflowanalyzer-support@manageengine.com
OpUtils oputils-support@manageengine.com

Video Zone

Altaleb Alshenqiti - Ministry of National Guard - Health Affairs

IT Admin from "Royal flying doctor service", Australia

Jonathan ManageEngine Customer
Michael - Network & Tech, ManageEngine Customer

Altaleb Alshenqiti - Ministry of National Guard - Health Affairs
David Tremont, Associate Directory of Infrastructure,USA

Todd Haverstock Administrative Director
Donald Stewart, IT Manager from Crest Industries

John Rosser, MIS Manager - Yale Chase Equipment & Services
Mohd Jaffer Tawfiq Murtaja, Information Security officer from Al Ain sports club

Venkatesan Veerappan, IT Consultant