As technology evolves exponentially with AI and 5G slowly becoming the norm, the time to consider ramping up cybersecurity across the industry is at hand. Simply put, the more complex the technology, implemented across more and more platforms, the more chance there is for error and the more opportunity there is for cybercriminals.
Why So Many Software Vulnerabilities?
When it comes to software vulnerabilities, the last decade has been marked by a paper sent to the IEEE (Institute of Electrical and Electronics Engineers) as ‘A Decade of Reocurring Software Weaknesses.’ According to this research paper, “In 2020, there were over 18 000 documented software vulnerabilities [1] that enable malicious activity.” Furthermore, the paper also posits that the cybersecurity standard for software vulnerabilities is not really there yet, “It is challenging to catch up with hackers; they need to find only one weak spot, while we (the community) have to defend entire systems. New doors also get opened (e.g., in recent years Object Deserialization injection). Nevertheless, the results of this study show that either we are incapable of correcting the most common software flaws, or we are focusing on the wrong ones.”
The ZOHO Corp. ManageEngine OpManager Vulnerability
Yet another software vulnerability is knocking at the door. This one is affecting a ZOHO Corp product. Specifically, it affects a product belonging to ZOHO Corp. that is called the ManageEngine OpManager. ManageEngine is the ‘enterprise IT management division of ZOHO Corp.’ ZOHO Corp. (ManageEngine) is one of the leaders in IT management systems. The software vulnerability was reported on September 3rd, 2021. A software vulnerability report concerning ZOHO Corp.’s ManageEngine OpManager was made public on the ManageEngine official web page. The vulnerability is classified as high-risk, classified with CVE ID code CVE-2021-40493. The flaw can potentially lead to dangerous remote attacker risks.
In-Depth Details
The software vulnerability affecting the ManageEngine OpManager is an SQL injection vulnerability. In-depth technical details reveal the following information; The vulnerability allows a remote user to execute arbitrary SQL queries in the database. The vulnerability exists due to insufficient sanitization of user-supplied data in the support diagnostics module. A remote user can send a specially crafted request to the affected application and execute arbitrary SQL commands within the application database. Successful exploitation of this vulnerability may allow a remote attacker to read, delete, modify data in the database and gain complete control over the affected application.
Vulnerable Software Versions
The software versions of ManageEngine OpManager that are vulnerable to the above issue are listed here; ManageEngine OpManager versions; 12.5 125000, 12.5 125001, 12.5 125002, 12.5 125003, 12.5 125004, 12.5 125005, 12.5 125006, 12.5 125007, 12.5 125008, 12.5 125009, 12.5 125010, 12.5 125011,12.5 125012, 12.5 125100, 12.5 125101, 12.5 125102, 12.5 125108, 12.5 125110, 12.5 125111, 12.5 125112, 12.5 125113, 12.5 125114, 12.5 125116, 12.5 125117, 12.5 125118, 12.5 125120, 12.5 125121, 12.5 125123, 12.5 125124, 12.5 125125, 12.5 125127, 12.5 125128, 12.5 125129, 12.5 125136, 12.5 125137, 12.5 125139, 12.5 125140, 12.5 125143, 12.5 125144, 12.5 125145, 12.5 125147, 12.5 125148, 12.5 125149, 12.5 125150, 12.5 125156, 12.5 125157, 12.5 125158, 12.5 125159, 12.5 125161, 12.5 125163, 12.5 125174, 12.5 125175, 12.5 125176, 12.5 125177, 12.5 125178, 12.5 125180, 12.5 125181, 12.5 125192, 12.5 125193, 12.5 125194, 12.5 125195, 12.5 125196, 12.5 125197, 12.5 125198, 12.5 125201, 12.5 125203, 12.5 125204, 12.5 125212, 12.5 125213, 12.5 125214, 12.5 125215, 12.5 125216, 12.5 125221, 12.5 125228, 12.5 125229, 12.5 125230, 12.5 125231, 12.5 125232, 12.5 125233, 12.5 125235, 12.5 125300, 12.5 125306, 12.5 125307, 12.5 125312, 12.5 125323, 12.5 125324, 12.5 125326, 12.5 125328, 12.5 125329, 12.5 125340, 12.5 125341, 12.5 125342, 12.5 125343, 12.5 125344, 12.5 125346, 12.5 125358, 12.5 125359, 12.5 125360, 12.5 125361, 12.5 125362, 12.5 125364, 12.5 125366, 12.5 125367, 12.5 125375, 12.5 125376, 12.5 125377, 12.5 125378, 12.5 125379, 12.5 125380, 12.5 125381, 12.5 125382, 12.5 125386, 12.5 125392, 12.5 125393, 12.5 125394, 12.5 125397, 12.5 125398, 12.5 125399, 12.5 125405, 12.5 125410, 12.5 125411, 12.5 125413, 12.5 125414, 12.5 125415, 12.5 125416, 12.5 125417, 12.5 125420, 12.5 125428, 12.5 125430, 12.5 125431, 12.5 125432, 12.5 125433, 12.5 125434, 12.5 125446, 12.5 125448, 12.5 125450, 12.5 125451, 12.5 125452
Important User Information
A patch has been made available for customers/users of ZOHO Corp. ManageEngine OpManager. The software security fix should occur automatically. Alternatively, please consult ManageEngine support.