Progress OpenEdge Security Vulnerability CVE-2023-34203
RecTrac 3.1.10.31.00
Table of Contents
Problem
The Vermont Systems Tech Group was recently made aware of a security vulnerability within the Progress OpenEdge product. The Progress OpenEdge team reached out with a description of the vulnerability and you can read the entire message below:
Using a local or remote admin service, a logged-in OpenEdge Management (OEM) or OpenEdge Explorer (OEE) user could perform a URL injection attack to change identity or role membership. Only users that are already authorized members of OEM or OEE user roles were able to perform this exploit. Non-admin role members were able to obtain unauthorized escalation to admin role privileges where unrestricted OEM and OEE capabilities were available to the user.
Original Email from the Progress OpenEdge Team
The Progress OpenEdge team recently discovered a security vulnerability in OpenEdge 11.7.15, OpenEdge 12.2.11, and in OpenEdge 12.6. We have addressed the issue and updated the product for customers to remediate it.
Please carefully read this notification. It provides a brief description of the security vulnerability, potential impact and important links to Update details and additional information.
If you are running OpenEdge 11.7.15, please apply the Update, OpenEdge 11.7.16 or later. If you are running OpenEdge 12.2.11, please apply the Update, OpenEdge 12.2.12 or later. If you are running OpenEdge 12.6, please upgrade to OpenEdge 12.7.
- If your OpenEdge version is in the Retired Life Cycle Phase as described in the OpenEdge Life Cycle, you may also be vulnerable and should upgrade to an Active version where Updates are available.
Security Issue and Potential Impact:
Please review the public information associated with this security vulnerability provided by the National Vulnerability Database located at CVE-2023-34203.
Using a local or remote admin service, a logged-in OpenEdge Management (OEM) or OpenEdge Explorer (OEE) user could perform a URL injection attack to change identity or role membership. Only users that are already authorized members of OEM or OEE user roles were able to perform this exploit. Non-admin role members were able to obtain unauthorized escalation to admin role privileges where unrestricted OEM and OEE capabilities were available to the user.
Resolution:
Patches for supported OpenEdge releases should be applied:
Vulnerable Version | OpenEdge LTS Update 11.7.15 and earlier | OpenEdge LTS Update 12.2.11 and earlier | OpenEdge 12.6 and earlier |
Fixed Version | OpenEdge LTS Update 11.7.16 | OpenEdge LTS Update 12.2.12 | OpenEdge 12.7 |
Documentation | Link to Documentation | Link to Documentation | Link to Documentation |
Knowledge Base Article | Knowledge Base Article | Knowledge Base Article | Knowledge Base Article |
How to Upgrade:
Click here for instructions on how to download your product software and license file. Customers who are not on a current Service Agreement should contact your OpenEdge account representative.
To confirm your current version of OpenEdge, run the “version” command in the “./bin” directory of your OpenEdge root install path ($DLC) or run the “PROVERSION” function from the OpenEdge ABL language.
If you have any questions, concerns, or problems related to this issue, please login to open a new Technical Support case here for assistance or reach out to your application provider. Technical Support is available to OpenEdge customers under warranty and an active Service Agreement.
We want to stress that security is of the utmost importance to us. Progress leverages development practices to minimize product vulnerabilities and we take prompt action to notify you of potential risks. We sincerely apologize for any inconvenience this situation may cause you.
Sincerely,
The Progress OpenEdge Team
Solution
You will need to verify if your organization is at risk by identifying the number of Authorized Users users, with a Role other than admin, who are configured in Progress OpenEdge Management
Note:
Vermont Systems applications are deployed with a single OpenEdge Management admin user role account. If you have not created additional accounts in OpenEdge Management, this security vulnerability poses little risk as it only applies to OpenEdge Management users with non-admin privileges.
Steps For Solution
To determine if this security vulnerability poses a risk to your organization:
- Login to Progress OpenEdge Management (may need to include some details)
- Click the Settings gear icon.
- Select Authorized Users
- Identify your number of users and their roles:
- If you have only a single user of name admin with a Role of administrator then this vulnerability cannot currently be exploited on your system.
- If you have multiple users and all users have a Role of administrator then this vulnerability cannot currently be exploited on your system.
If you have one or more users listed with a Role other than administrator then this vulnerability could be exploited on your system and you contact Vermont Systems Support and reference CVE-2023-34203 for assistance with loading the necessary Progress Security Patch.