Mail Notification Service CVE-2022-38658

vishal · January 9, 2023, 9:08am

Hi Team ,

can some one pls help me to know what need to do for Big fix vunerability -

FW: Vulnerability Communication : HCL BigFix Server Automation affected with information disclosure vulnerability(CVE-2022-38658)

Whether updating site to version - 1475 would resolve the issue or some other patches need to be installed ?

dmccalla · January 9, 2023, 3:38pm

In order to address this CVE you need to update the BigFix platform to version 10.0.8. Security Bulletin: HCL BigFix Platform is affected by multiple security vulnerabilities - Customer Support

vishal · January 9, 2023, 4:39pm

Do you mean by Big fix console upgrade ? my current version is 10.0.7.52 … Is this still required upgrade ?

dmccalla · January 9, 2023, 5:22pm

Not just the console. At a minimum, you need to upgrade the root server / web reports and the console to version 10.0.8. Ultimately, you will want to upgrade all of the core infrastructure (root server, console, relays, clients, webUI) to version 10.0.8.

The following documentation might help you – https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Installation/c_upgrading1.html

dmccalla · January 9, 2023, 8:21pm

HI @vishal … my apologies. The BES Support site (version 1475) update to address this CVE was released at the same time as the 10.0.8 platform release. So I got things mixed up. I’m requesting clarification as to whether or not the 3.2.2 release of the Notification Service addresses this issue (you might have to upgrade the service - however it was back in May) or a simple site update takes care of it.

vishal · January 10, 2023, 9:10am

Sorry , I am confused now . Could you pls let me know what service need to be updated and how … Let me know if need to raise a case with HCL to find out the solution .

dmccalla · January 10, 2023, 2:01pm

Still waiting on clarification from dev.

dmccalla · January 10, 2023, 4:23pm

Assuming you’ve gathered the latest site (#1475 - which it sounds like you have) and if either task # 2238 - Install Latest Notification Service (SHA256) or task # 2241 - Install Latest Notification Service (sha256 - RHEL) are relevant, then you’ll need to update the Notification Service by taking action on the appropriate task.

When doing so you’ll need to enter a passphrase in the configuration panel in the Description field in order to proceed. This is documented here:
https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/sa_commonnotification.html