CVE-2024-7345

Summary

Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms

Affected Software

VendorProductVersion RangeStatus
ProgressOpenEdge11.7.0 <= 11.7.19affected
ProgressOpenEdge12.2.0 <= 12.2.14affected
ProgressOpenEdge12.8.0unaffected

Weaknesses

  • CWE-94: CWE-94 Improper Control of Generation of Code ('Code Injection')

Workarounds

Do not put client software on host webserver systems Ensure the "AppServer.SessMgr.agentHost" property is set to "localhost" unless you are multi-hosting a single Webserver system Block agent listening ports from network access anywhere with the exception of the PASOE Tomcat Webserver's published listening port Launch PASOE agent processes with "least privilege" system resource capabilities

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References