Bug 2163504 (CVE-2022-47966)

Summary: CVE-2022-47966 ManageEngine: remote code execution vulnerability in multiple ManageEngine products
Product: [Other] Security Response Reporter: Chess Hazlett <chazlett>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, asoldano, balejosg, bbaranow, bmaxwell, boliveir, brian.stansberry, cdewolf, chazlett, darran.lofthouse, dkreling, dosoudil, fjuma, fmongiar, gmalinko, ivassile, iweiss, janstey, jcantril, jnethert, jolee, jpavlik, jpoth, jschatte, jstastny, jwon, lgao, mosmerov, msochure, msvehla, nwallace, pdelbell, pdrozd, peholase, periklis, pjindal, pmackay, pskopek, rstancel, smaestri, sthorger, tcunning, tom.jenkinson, yfang
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-25 18:52:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2163496    

Description Chess Hazlett 2023-01-23 17:53:55 UTC 
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections.
Comment 1 Product Security DevOps Team 2023-01-25 18:52:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-47966