ECS Connection Manager Security Vulnerability CVE-2024-7591
This article describes a security vulnerability that affects all ECS Connection Manager releases. Please see CVE-2024-7591 for the official description.
We have not received any reports that this vulnerability has been exploited and we are not aware of any direct impact to customers. Nevertheless, we are encouraging all customers to upgrade their ECS Connection Manager implementations as soon as possible to harden their environment. Make sure you are subscribed to announcement notifications via the Support Portal to receive timely notifications for important product updates.
This notification provides a brief description of the vulnerability and the related enhancements made in the affected releases.
Fix for CVE-2024-7591
It is possible for unauthenticated, remote attackers who have access to the management interface to issue a carefully crafted http request that will allow arbitrary system commands to be executed. This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands execution.
Update Details
To benefit from this security enhancement, customers should apply the add-on package listed in the table below as soon as possible. The add-on package can be installed on any release, even if support for the unit has expired.
Product | Affected Versions | Patched Versions | Release Date |
ECS Connection Manager | 7.2.60.0 and all prior versions | Add-on Package XML validation file |
Sep 03 2024 |
Download the add-on using the links above and install it using the controls on the System Configuration > System Administration > Update Software UI page.
We also strongly recommend that customers follow our security hardening guidelines. If you have any questions, concerns or problems related to this issue, please log in to open a new Technical Support case in our customer community for assistance. Technical Support is available to all ECS Connection Manager customers under a current support contract. If you don't have an active support contract, please contact your Sales Account Manager.