Urgent Security Notification

Urgent Security Notification

S-2022-01

Security Update S-2022-01

In two modules of the baramundi Management Suite (bMS), security vulnerabilities were found during security tests.
The risk to the bMS associated with these security gaps was classified by baramundi as high to critical.
We strongly recommend to install the update.

baramundi Management Agent

Information

This baramundi Agent (bMA) update closes a security vulnerability in the bMA, which may allow remote code execution on the side of the bMA. We have classified this vulnerability as high (CVSS v3 of 8), but not critical.

The update is done by deploying the current bMA to all clients. The automatic update mechanism of the bMA is used for this purpose. For this, the setup file of the new bMA must be stored on the bServer and on the primary DIP. The bMA that matches the bMS version must be used here.

To make the import easy, we have provided this S-2022-01.zip. It contains all bMA setup files of the supported bMS versions and automatically stores the correct bMA version on the bServer.

The tool supports the bMS 2021 R1, bMS 2021 R2, bMS 2022 R1.

Installation

  1. The tool must be run on the baramundi Management Server.
  2. Stop bServer service.
  3. Unpack S-2022-01.zip on the bServer system.
  4. Start S-2022-01.exe with higher rights.
  5. The tool checks if a supported bMS version is installed and in this case offers to swap the bMA setup file in the bMS installation directory (...\baramundi\Management Server\Shared\Client\Setup).
  6. If the DIP is used during the bMA installation, manually copy the bMA from ...\baramundi\Management Server\Shared\Client\Setup to the primary DIP in the ...\dip$\BMS\Client\Setup directory.
  7. After that start the bServer service.
  8. With version 2022 R1, the first time the bMC is started, the message "Unconfirmed bMA installation sources" appears. Since the bMA installation files have been exchanged, this exchange must be confirmed.
    New Hash: 7d57b26870f7791ec72e3a3ec02cb47a0f37aa782fdeae953d708f3cfd3cb273
  9. The update of the baramundi agents (bMA) on the clients is done automatically during the next job execution.
    Please note the following: The "Automatic update" of the management agent must be switched on for this. (To be found under bMC-configuration-server).

Hints

  • S-2022-01.exe exchanges the setup file of the baramundi agent (bMA) on the bServer.
  • The bMA must be manually placed on the DIP in the path ...dip$\BMS\Client\Setup.
  • This update will only work with the bMS 2021 R1, bMS 2021 R2 and the bMS 2022 R1.
  • If the files are copied and imported manually, make sure the bMA version is correct.
  • MA versions are not supported.
  • For older bMS versions, it is recommended to update to the 2022 R1 as soon as possible and to import this update.
  • An update to the upcoming bMS 2022 R2 is possible without any problems.
  • From the 2022 R2 version this update is already included.
  • Clients in Internet mode are not updated automatically. Here the update can be done as usual via the bDX provided in the bDX exchange "bMA update for Internet clients via job". The provided bDX now contain the respective S1 agent.

Download

SHA256 Hash: 3c66878ec3e361042b932c8b58cd4251d624b2942f427a92304b3c0d58d4d8a9

Download here

Apache Webserver - baramundi DIP

Several vulnerabilities, some of them critical, have been reported in the Apache web server. The CVSS 3.x ratings range from Medium (5.3) to Critical (9.8):

  • CVE-2022-31813 (Critical 9.8)
  • CVE-2022-28615 (Critical 9.1)
  • CVE-2022-29404 (High 7.5)
  • CVE-2022-30522 (High 7.5)
  • CVE-2022-30556 (High 7.5)
  • CVE-2022-26377 (High 7.5)
  • CVE-2022-28330 (Medium 5.3)
  • CVE-2022-28614 (Medium 5.3)

The Apache web server is used in the baraDIP module (version 2022 R1 and previous versions) to download files.

As of September 27 the baraDIP version 2022 R1 S1 was released in MSW, which fixes the mentioned vulnerabilities.