Register for our upcoming webinar: Making Veeam Backups Secure >>>

CVE-2022-44794 Remote code execution vulnerability in Object First

Note: Object First will continue to update this vulnerability as new information becomes available.

Date: 2022-10-24

Status: Final

CVEs: CVE-2022-44794

Important note:

This vulnerability is related to the Object First Ootbi BETA version, which is not released for production and therefore has no impact on the production environment. The production-ready Object First Ootbi version will have this vulnerability fixed.

Summary

Management protocol has a flow which allows a remote attacker to execute arbitrary Bash code with root privileges. The command which sets hostname doesn’t validate input parameters.

Impact 

As a result, arbitrary data goes directly to the Bash interpreter. An attacker should know the credentials to exploit this vulnerability.

Vulnerability Scoring

CVECVSS 3.x ScoreVector
CVE-2022-447948.8 (HIGH) CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

 

References

ResourceHyperlink
NIST NVDhttps://nvd.nist.gov/vuln/detail/CVE-2022-44794

Affected Versions:

Object First Ootbi BETA build 1.0.7.712

Not affected versions:

Object First Ootbi 1.3.22.3043

Software Versions and Fixes

Fixed in Object First Ootbi BETA build 1.0.13.1611

Workaround

Update to Object First Ootbi BETA build 1.0.13.1611 or higher

Obtaining Software Fixes 

Software updates will be available in Object First Update Manager. You can contact Support directly via email at support@objectfirst.com or via phone at +1 800 6657145.

Status of Notice

Final

Object First will continue to update information regarding this vulnerability as new details become available.

This vulnerability article should be considered as the single source of current, up-to-date, authorized and accurate information posted by Object First Software.

Revision History 

Revision #DateComments
1.02022-10-24Initial Public Release and Final Status
2.02022-11-08Added CVE number and NVD reference
3.02023-02-06Added Beta note
4.02023-03-08Adjusted build and product names