| Product Name | Affected Version(s) | Fixed Version(s) | Fixed on |
| Access Manager Plus | 4302 and below | 4303 | 24/06/2022 |
| Password Manager Pro | 12100 and below | 12101 | 24/06/2022 |
| PAM360 | 5500 and below | 5510 | 23/06/2022 |
Details
There is a critical security vulnerability in the third party libraries of the affected products. This vulnerability allowed adversaries to execute arbitrary code via a crafted serialised Java object in an <ex:serializable> element.
Impact
This security vulnerability could allow adversaries to execute arbitrary code on affected installation of Access Manager Plus, PAM360 and or Password Manager Pro. ManageEngine strongly advise to upgrade to the latest build immediately.
Steps to upgrade
Download the latest service pack from the following links provided below
Access Manager Plus
https://www.manageengine.com/privileged-session-management/upgradepack.html
PAM360
https://www.manageengine.com/privileged-access-management/upgradepack.html
Password Manager Pro
https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html
Apply the latest build to your existing product installation as per the upgrade pack instructions in the links provided above.
What if my installation has been compromised?
To verify if your installation has been affected, follow these steps below
- Navigate to <ManageEngine_Installation_Directory>/logs
- Open the file access_log_<Date>.txt
- Search for the keyword /xmlrpc in the text file. If it is present, then your installation is affected.
What should you do if your installation has been compromised
- Disconnect and isolate the compromised machine.
- Create a zip file containing all the application logs, and send them to product support depending on which one has been compromised
Access Manager Plus: accessmanagerplus-support@manageengine.com
PAM360: pam360-support@manageengine.com
Password Manager Plus: passwordmanagerpro-support@manageengine.com
Important Note: Don’t forget to make a backup of your installation folder before you upgrade and keep the backup in a separate location. If anything goes wrong, you will have this copy as a backup which will keep all your settings intact. If you’re using an MS SQL server as the back-end database, back up the application database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.
For more information or if you have any questions feel free to contact us
This article is relevant to:
IT SecurityManageEngineSecurity AdvisoryOther recent articles in the same category
You may be interested in these other recent articles
Overcoming Compliance Challenges in ServiceDesk Plus Cloud
20 February 2025
At Set3 Solutions, we frequently assist clients with compliance and security documentation requests, ensuring they can meet audit and regulatory requirements effectively. When a critical…
Read moreRemoving Endpoint Central Distribution Servers
14 February 2025
At Set3, we pride ourselves on delivering expert guidance that helps our customers optimise their IT infrastructure using ManageEngine solutions. Our deep expertise in Endpoint…
Read moreLatest Updates for ManageEngine ServiceDesk Plus Cloud
7 February 2025
Discover the latest ServiceDesk Plus Cloud updates, including new features, fixes, and enhancements.
Read moreStay Ahead with the Latest Updates for ManageEngine OpManager
6 February 2025
Discover the latest OpManager updates, including new features, fixes, and enhancements.
Read moreThird Party Integration with ServiceDesk Plus: A Standardised Approach
5 February 2025
In today’s fast-paced IT landscape, businesses rely on third-party application integrations to streamline workflows and enhance operational efficiency. To unlock the full potential of these…
Read more