05. 10. 2022
Gianluca Piccolo
Bug Fixes, NetEye
NetEye 4 Asset – Security Advisory – Multiple Vulnerabilities
Synopsis
Important: Multiple Security updates for NetEye 4
Type/Severity
Security Advisory: Critical
Topic
Wuerth Phoenix has released some Critical Patches (CPs) for NetEye 4. These CPs resolve multiple vulnerabilities related to SQL injections, Cross Site Scripting and an unauthenticated remote command execution (RCE) exploit.
Description
GLPI was affected by:
- [Critical] RCE using a third-party library script (CVE-2022-35914).
- [Critical] Privilege Escalation by authentication via SQL injection (CVE-2022-35947)
- XSS through registration API (CVE-2022-35945)
- Leak of sensitive information through login page error (CVE-2022-31143)
- SQL injection through plugin controller (CVE-2022-35946)
Security Fix(es) for NetEye >= 4.23:
- glpi-9.5.9_neteye1.10.1-1.noarch.rpm
- glpi-neteye-config-9.5.9_neteye1.10.1-1.noarch.rpm
- glpi-autosetup-9.5.9_neteye1.10.1-1.noarch.rpm
CVE-2022-35914 RCE workaround for older NetEye 4 versions
Remove /usr/share/glpi/vendor/htmlawed/htmlawed/htmLawedTest.php file from the filesystem on all NetEye nodes. This will prevent unauthenticated attackers to compromise your NetEye installation.
Solution
For details on how to apply this update, which includes the changes described in this advisory, refer to the NetEye Update Section inside the User Guide.
Affected Products
All NetEye 4.x versions prior to and including 4.26.
References
- https://access.redhat.com/security/updates/classification/#important
- https://github.com/glpi-project/glpi/releases/tag/9.5.9
Full Stack Developer at Wuerth Phoenix. I love questioning myself, find new challenges to learn and new adventures to grow up. PHP lover trying to expand my skills studying new languages and tools to improve my professional life.
Author
