製品・ソフトウェアに関する情報

JVN脆弱性詳細

複数の ZOHO 製品における SQL インジェクションの脆弱性

Title	複数の ZOHO 製品における SQL インジェクションの脆弱性
Summary	ZOHO ManageEngine OpManager、IT360、および Social IT Plus には、SQL インジェクションの脆弱性が存在します。
Possible impacts	第三者、またはリモート認証されたユーザにより、(1) APMBVHandler サーブレットの Delete 操作の OPM_BVNAME パラメータ、または (2) DataComparisonServlet サーブレットの compare 操作の query パラメータを介して、任意の SQL コマンドを実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Nov. 9, 2014, midnight
Registration Date	Dec. 5, 2014, 4:42 p.m.
Last Update	Dec. 5, 2014, 4:42 p.m.

Affected System

Zoho Corporation

ManageEngine IT360 10.3

ManageEngine IT360 10.4

ManageEngine OpManager 11.3

ManageEngine OpManager 11.4

ManageEngine Social IT Plus 11.0

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2014-7868	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7868
National Vulnerability Database (NVD)
2	CVE-2014-7868	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7868

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-89	https://jvndb.jvn.jp/ja/cwe/CWE-89.html

ベンダー情報

No	Name	URL
ManageEngine
1	SQL Injection Vulnerability FIx	https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix

その他

No	Name	URL
関連文書
1	Multiple vulnerabilities in ManageEngine OpManager, Social IT Plus and IT360	https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt

Change Log

No	Changed Details	Date of change
0	[2014年12月05日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2014-7868

Summary	Multiple SQL injection vulnerabilities in ZOHO ManageEngine OpManager 11.3 and 11.4, IT360 10.3 and 10.4, and Social IT Plus 11.0 allow remote attackers or remote authenticated users to execute arbitrary SQL commands via the (1) OPM_BVNAME parameter in a Delete operation to the APMBVHandler servlet or (2) query parameter in a compare operation to the DataComparisonServlet servlet.
Publication Date	Dec. 5, 2014, 2:59 a.m.
Registration Date	Jan. 26, 2021, 3:19 p.m.
Last Update	Nov. 21, 2024, 11:18 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:zohocorp:manageengine_social_it_plus:11.0:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:zohocorp:manageengine_opmanager:11.3:::::::*
cpe:2.3:a:zohocorp:manageengine_opmanager:11.4:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:zohocorp:manageengine_it360:10.4:::::::*
cpe:2.3:a:zohocorp:manageengine_it360:10.3.0:::::::*

Related information, measures and tools

No	URL	タグ
1	http://packetstormsecurity.com/files/129037/ManageEngine-OpManager-Social-IT-Plus-IT360-File-Upload-SQL-Injection.html	Exploit
2	http://packetstormsecurity.com/files/129037/ManageEngine-OpManager-Social-IT-Plus-IT360-File-Upload-SQL-Injection.html	Exploit
3	http://seclists.org/fulldisclosure/2014/Nov/21	Exploit
4	http://seclists.org/fulldisclosure/2014/Nov/21	Exploit
5	http://www.securityfocus.com/archive/1/533946/100/0/threaded
6	http://www.securityfocus.com/archive/1/533946/100/0/threaded
7	http://www.securityfocus.com/bid/71002	Exploit
8	http://www.securityfocus.com/bid/71002	Exploit
9	https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt	Exploit
10	https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_opmanager_socialit_it360.txt	Exploit
11	https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix	Exploit Patch
12	https://support.zoho.com/portal/manageengine/helpcenter/articles/sql-injection-vulnerability-fix	Exploit Patch

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-89	SQLインジェクション	https://cwe.mitre.org/data/definitions/89.html