Product NameAffected Version(s)Fixed Version(s)Fixed on
Access Manager Plus4302 and below430324/06/2022
Password Manager Pro12100 and below1210124/06/2022
PAM3605500 and below551023/06/2022

Details
There is a critical security vulnerability in the third party libraries of the affected products. This vulnerability allowed adversaries to execute arbitrary code via a crafted serialised Java object in an <ex:serializable> element.

Impact
This security vulnerability could allow adversaries to execute arbitrary code on affected installation of Access Manager Plus, PAM360 and or Password Manager Pro. ManageEngine strongly advise to upgrade to the latest build immediately.

Steps to upgrade
Download the latest service pack from the following links provided below

Access Manager Plus
https://www.manageengine.com/privileged-session-management/upgradepack.html

PAM360
https://www.manageengine.com/privileged-access-management/upgradepack.html

Password Manager Pro
https://www.manageengine.com/products/passwordmanagerpro/upgradepack.html

Apply the latest build to your existing product installation as per the upgrade pack instructions in the links provided above.

What if my installation has been compromised?
To verify if your installation has been affected, follow these steps below

  1. Navigate to <ManageEngine_Installation_Directory>/logs
  2. Open the file access_log_<Date>.txt
  3. Search for the keyword /xmlrpc in the text file. If it is present, then your installation is affected.

What should you do if your installation has been compromised

  1. Disconnect and isolate the compromised machine.
  2. Create a zip file containing all the application logs, and send them to product support depending on which one has been compromised

Access Manager Plus: accessmanagerplus-support@manageengine.com
PAM360: pam360-support@manageengine.com
Password Manager Plus: passwordmanagerpro-support@manageengine.com

Important Note: Don’t forget to make a backup of your installation folder before you upgrade and keep the backup in a separate location. If anything goes wrong, you will have this copy as a backup which will keep all your settings intact. If you’re using an MS SQL server as the back-end database, back up the application database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.

For more information or if you have any questions feel free to contact us

This article is relevant to:
IT SecurityManageEngineSecurity Advisory

You may be interested in these other recent articles

ManageEngine ServiceDesk Plus Cloud Build Release Information

11 April 2024

Summary details of the current Build Release information for ManageEngine ServiceDesk Plus Cloud Edition. All upgrades are performed by the Zoho Cloud team. Should you…

Read more

ManageEngine Endpoint Central (formerly Desktop Central) On-Premise Build Release Information

9 April 2024

Summary details of the current Build Release information for ManageEngine Endpoint Central. Note: Desktop Central changing its name to Endpoint Central will not affect the…

Read more

ManageEngine Analytics Plus Build Release Information

4 April 2024

Summary details of the current build release information for ManageEngine Analytics Plus. Scroll the above to view more release details. Download the latest service packs…

Read more

ManageEngine OpManager Build Release Information

2 April 2024

Summary details of the current build release information for ManageEngine OpManager. Scroll the above to view more release details. Download the latest service packs here.…

Read more

ManageEngine ADSelfService Plus Build Release Information

29 March 2024

The current build release information for ManageEngine ADSelfService Plus is summarised below. Scroll down for more information. You can download the latest service packs here.…

Read more