CVE-2024-7345

Direct local client connections to MS Agents can bypass authentication

Description

Local ABL Client bypass of the required PASOE security checks may allow an attacker to commit unauthorized code injection into Multi-Session Agents on supported OpenEdge LTS platforms up to OpenEdge LTS 11.7.18 and LTS 12.2.13 on all supported release platforms

Remediation

Solution:

Use the 12.8.0 or above LTS release where the vulnerability does not exist
Use the 12.2 LTS release at the 12.2.14 Update level or above
Use the 11.7 LTS release at the 11.7.19 Update level or above

Workaround:

Do not put client software on host webserver systems
Ensure the "AppServer.SessMgr.agentHost" property is set to "localhost" unless you are multi-hosting a single Webserver system
Block agent listening ports from network access anywhere with the exception of the PASOE Tomcat Webserver's published listening port
Launch PASOE agent processes with "least privilege" system resource capabilities

References

Link	Tags
https://community.progress.com/s/article/Direct-local-client-connections-to-MS-Agents-can-bypass-authentication	mitigation vendor advisory

Frequently Asked Questions

What is the severity of CVE-2024-7345?: CVE-2024-7345 has been scored as a high severity vulnerability.
How to fix CVE-2024-7345?: To fix CVE-2024-7345: Use the 12.8.0 or above LTS release where the vulnerability does not exist
Is CVE-2024-7345 being actively exploited in the wild?: As for now, there are no information to confirm that CVE-2024-7345 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-7345?: CVE-2024-7345 affects Progress OpenEdge.

Description

Remediation

Category

CWE-94 – Improper Control of Generation of Code ('Code Injection')

References

Frequently Asked Questions