Key takeaway: Update now to latest versions of the IT asset management software. If you can’t, implement GLPIs recommended mitigation. Attackers are targeting the flaw to execute arbitrary code on insecure servers [241 words].
What: Organizations using GLPI’s free, open-source asset and IT management software platform should immediately update to versions 9.5.9 or 10.0.3. GLPi has provided workarounds for organizations that cannot immediately update (link below).
Caution: GLPI has spelt out a recommended method for updating to the latest instances of its software (link below). Failure to follow the prescribed steps could result in the new versions also being impacted.
Why: Attackers are massively exploiting a critical remote code execution vulnerability (CVE-2022-35914) in the GLPi open-source IT asset and service management software. The vulnerability is present in the third-party library htmlawed and enables PHP code injection. Versions of GLPi through 10.0.2 are impacted. GLPI network cloud instances are not impacted.
CVE-2022-35914 is one of two bugs that GLPI disclosed in September. The other is CVE-2022-35947, a SQL injection vulnerability that attackers could use to simulate an arbitrary user login. On October 5 GLPI said the RCE bug (CVE-2022-35914) “has been massively exploited since October 3, 2022, to execute code on insecure servers, available on the Internet, hosting GLPI.”
GLPIs Oct. 5 alert on massive exploit activity targeting RCE flaw
GLPI’s recommended update method
NVD vulnerability details: CVE-2022-35914; CVE-2022-35947