Progress OpenEdge OEM Unauthenticated Content Injection via ActiveMQ

From this webpage screenshot, the following key information about the vulnerability can be obtained: 1. Vulnerability Description: - Vulnerability Type: Unauthenticated Content Injection. - Affected Component: OpenEdge Management web interface via ActiveMQ discovery service. - Affected Versions: OpenEdge LTS versions 11.7.19 and 12.2.14 and earlier, including all updates up to 12.8.3 or earlier. 2. Vulnerability Impact: - Potential Impact: Malicious actors can send malicious UDP multicast messages via the ActiveMQ discovery service, which can be received by OpenEdge/OEM clients and injected into the OpenEdge web interface, potentially leading to injection of HTML, CSS, and other content that may be viewed or executed by users. - Mitigation: In fixed versions, the "auto-discovery" feature of the ActiveMQ discovery service will be disabled by default, meaning the "allowDiscover" option will be set to "false". 3. Fixed Versions: - Affected Versions: OpenEdge LTS versions 11.7.19 and 12.2.14 and earlier. - Fixed Versions: OpenEdge LTS updates 11.7.20 or higher, 12.2.15 or higher, and 12.8.3 or higher. 4. Temporary Mitigation: - If immediate update is not possible, users can manually set the "allowDiscover" option to "false" in the "management.properties" configuration file to disable the ActiveMQ discovery service. 5. Affected Users: - All OpenEdge/OEM users running affected versions, including those on OpenEdge LTS versions 11.7.19 and 12.2.14 and earlier. 6. Business Impact: - Unauthenticated content injection may lead to risks such as network flooding, sniffing, and tampering. - May enable HTML/CSS injection attacks, which could be viewed or executed by users. 7. How to Upgrade: - Customers can upgrade to the fixed versions by downloading OpenEdge LTS updates 11.7.20, 12.2.16, and 12.8.3. 8. Disclaimer: - The information may be provided by internal or external sources and is not guaranteed for accuracy or completeness. - Users should independently assess and manage any potential risks. This information helps users understand the severity of the vulnerability, the scope of impact, and the steps they can take to mitigate or fix the vulnerability.

Goal Reached Thanks to every supporter — we hit 100%!

Progress OpenEdge OEM Unauthenticated Content Injection via ActiveMQ