An authentication bypass vulnerability (CVE-2022-29081), reported by Evan Grant and affecting ManageEngine Access Manager Plus versions up to 4301, has been fixed. It occurred due to an improper URI check that allowed an adversary to bypass security checks in seven RESTAPI URLs, gain unauthorized access to the application, and invoke the following operations:
Apache Log4j has been upgraded from version 1.2.8 to 2.17.2.
From build 4300, users could not launch RDP connections if the 'Reason' field contained special characters, such as '#', in it.
Access Manager Plus now supports adding HTTPS-based web links as a connection type. From now on, admins/users can launch secure HTTPS-based connections to local web pages or websites in demilitarized zones and access them directly from the Access Manager Plus interface, wherein Access Manager Plus acts like a proxy server. Additionally, the connection status and details are recorded as the connection audit.
Note: If your current Ticketing System is ServiceDesk Plus On-Premises or ServiceDesk Plus Cloud, this upgrade pack will disable the integration and delete the complete integration data. You will have to reconfigure the ticketing system again. So, make sure you have a backup of the advanced configurations in the form of screenshots for reference purposes.
From Access Manager Plus build 4202 onwards, standard users could delete saved session recording files, which is an admin-only operation. This issue has been fixed now.
An authentication bypass vulnerability (CVE-2021-44676) that allows an adversary to gain unauthorized access to the application and invoke actions through specific application URLs has been fixed. It affects ManageEngine Access Manager Plus versions up to 4202.
Customizable Access Control Settings
From build 4200 onwards, Access Manager Plus allows users to apply customized configuration settings for the connection access control feature. This enhancement comes with options that help users efficiently manage the request-release workflow for the connections.
A few of the customizable options that can be availed include:
This release comes with improved security level checks for Cross-Site Request Forgery(CSRF) and HTTP request methods.
Earlier, all connections, added to Access Manager Plus, were shared connections only, by default, and were publicly accessible by all users. Now, users have the choice of making their connections either as 'Shared' or 'Owned', where the 'Owned' connections are private and accessible by the connection owners only. Options are available under 'General Settings', for administrators to globally enable/disable session recording for Owned connections, and transform Access Manager Plus to Shared/Owned mode, at their discretion. Additionally, the bulk 'Edit Connections' option has been added, which allows the connection owners alone to enable/disable the 'Shared connection' and 'Access Control' options.
The PostgreSQL server used in Access Manager Plus has been upgraded to version 9.5.21.