Note: Object First will continue to update this vulnerability as new information becomes available.
This vulnerability is related to the Object First Ootbi BETA version, which is not released for production and therefore has no impact on the production environment. The production-ready Object First Ootbi version will have this vulnerability fixed.
Management protocol has a flow which allows a remote attacker to execute arbitrary Bash code with root privileges. The command which sets hostname doesn’t validate input parameters.
As a result, arbitrary data goes directly to the Bash interpreter. An attacker should know the credentials to exploit this vulnerability.
|CVE||CVSS 3.x Score||Vector|
Object First Ootbi BETA build 18.104.22.1682
Not affected versions:
Object First Ootbi 22.214.171.12443
Software Versions and Fixes
Fixed in Object First Ootbi BETA build 126.96.36.1991
Update to Object First Ootbi BETA build 188.8.131.521 or higher
Obtaining Software Fixes
Software updates will be available in Object First Update Manager. You can contact Support directly via email at email@example.com or via phone at +1 800 6657145.
Status of Notice
Object First will continue to update information regarding this vulnerability as new details become available.
This vulnerability article should be considered as the single source of current, up-to-date, authorized and accurate information posted by Object First Software.
|1.0||2022-10-24||Initial Public Release and Final Status|
|2.0||2022-11-08||Added CVE number and NVD reference|
|3.0||2023-02-06||Added Beta note|
|4.0||2023-03-08||Adjusted build and product names|