Mail Notification Service CVE-2022-38658

vishal 2023-01-09 09:08:08 UTC #1

Hi Team ,

can some one pls help me to know what need to do for Big fix vunerability -

FW: Vulnerability Communication : HCL BigFix Server Automation affected with information disclosure vulnerability(CVE-2022-38658)

Whether updating site to version - 1475 would resolve the issue or some other patches need to be installed ?

Content Modification: Updates for Windows Applications published 2022-12-30

dmccalla 2023-01-09 15:38:01 UTC #2

In order to address this CVE you need to update the BigFix platform to version 10.0.8. https://support.hcltechsw.com/csm?id=kb_article&sysparm_article=KB0102049

vishal 2023-01-09 16:39:02 UTC #3

Do you mean by Big fix console upgrade ? my current version is 10.0.7.52 … Is this still required upgrade ?

dmccalla 2023-01-09 17:22:04 UTC #4

Not just the console. At a minimum, you need to upgrade the root server / web reports and the console to version 10.0.8. Ultimately, you will want to upgrade all of the core infrastructure (root server, console, relays, clients, webUI) to version 10.0.8.

The following documentation might help you – https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Installation/c_upgrading1.html

dmccalla 2023-01-09 20:21:42 UTC #5

HI @vishal … my apologies. The BES Support site (version 1475) update to address this CVE was released at the same time as the 10.0.8 platform release. So I got things mixed up. I’m requesting clarification as to whether or not the 3.2.2 release of the Notification Service addresses this issue (you might have to upgrade the service - however it was back in May) or a simple site update takes care of it.

vishal 2023-01-10 09:10:28 UTC #6

Sorry , I am confused now . Could you pls let me know what service need to be updated and how … Let me know if need to raise a case with HCL to find out the solution .

dmccalla 2023-01-10 14:01:18 UTC #7

Still waiting on clarification from dev.

dmccalla 2023-01-10 16:23:57 UTC #8

Assuming you’ve gathered the latest site (#1475 - which it sounds like you have) and if either task # 2238 - Install Latest Notification Service (SHA256) or task # 2241 - Install Latest Notification Service (sha256 - RHEL) are relevant, then you’ll need to update the Notification Service by taking action on the appropriate task.

When doing so you’ll need to enter a passphrase in the configuration panel in the Description field in order to proceed. This is documented here:
https://help.hcltechsw.com/bigfix/10.0/platform/Platform/Config/sa_commonnotification.html