SB2023060129 - Multiple vulnerabilities in Zoho ManageEngine OpManager
Published: June 1, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Deserialization of untrusted data (CVE-ID: CVE-2016-5003)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to improper deserialization of untrusted Java objects. A remote attacker can send a request that submits a malicious serialized Java object in an <ex:serializable> element and execute arbitrary code with elevated privileges.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
2) XML External Entity injection (CVE-ID: CVE-2016-5002)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
XML external entity (XXE) vulnerability in the Apache XML-RPC (aka ws-xmlrpc) library 3.1.3, as used in Apache Archiva, allows remote attackers to conduct server-side request forgery (SSRF) attacks via a crafted DTD.
3) Resource exhaustion (CVE-ID: CVE-2016-5004)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
4) Deserialization of Untrusted Data (CVE-ID: N/A)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insecure input validation when processing serialized data. A remote attacker can pass specially crafted data to the application and perform a denial of service attack.
Remediation
Install update from vendor's website.