ECS Connection Manager Security Vulnerability CVE-2024-6658
This article describes an ECS Connection Manager (ECS CM) security vulnerability that affects all ECS CM releases. Please see CVE-2024-6658 for the official description.
We have not received any reports that this vulnerability has been exploited and we are not aware of any direct impact to customers. Nevertheless, we are encouraging all customers to upgrade their ECS CM implementations as soon as possible to harden their environment. Make sure you are subscribed to the announcement notification via the Support Portal to receive timely notifications for important product updates.
This notification provides a brief description of the vulnerability and the related enhancements made in the affected releases.
Fix for CVE-2024-6658
It is possible for authenticated, remote attackers who have access to the management interface of ECS CM, and ECS CM credentials, to issue a carefully crafted http request that will allow arbitrary system commands to be executed. This vulnerability has been closed by sanitizing request user input to mitigate arbitrary system commands being executed.
Update Details
To benefit from this security enhancement, customers should update to the Progress ECS CM release listed below as soon as possible:
Product | Affected Versions | Patched Versions | Release Date |
ECS CM | 7.2.60.0 and all prior releases |
7.2.60.1 (GA) XML validation file |
12 Sep 2024 |
For more information on how to apply the security patch above, refer to the Progress Knowledge Base article on how to upgrade.
We strongly recommend that customers follow our security hardening guidelines. If you have any questions, concerns or problems related to this issue, please log in to open a new Technical Support case in our customer community for assistance. Technical Support is available to all ECS CM customers under a current support contract.