Folgende Mitteilung hat uns heute vom Hersteller Ipswitch | Progress erreicht:
The Progress Ipswitch team recently discovered multiple security vulnerabilities in MOVEit Transfer:
- • Multiple SQL Injection vulnerabilities impacting MOVEit Transfer versions 2018 SP2 (10.2 prior to 10.2.6), 2019.0 (11.0 prior to 11.0.4) and 2019.1 (11.1 prior to 11.1.3).
- - Impact: This could allow an unauthenticated attacker to gain unauthorized access to the MOVEit Transfer database.
- - Exceptions: MOVEit Transfer versions prior to 2018 SP2 (10.2) are not affected by this vulnerability. MOVEit Transfer 2019.2 is also not affected by this vulnerability.
- • An Improper Authentication vulnerability impacting MOVEit Transfer 2019.1 (11.1 prior to 11.1.3).
- - Impact: This could allow an attacker to sign in without full credentials if the MySQL database is being used.
- - Exceptions: MOVEit Transfer versions prior to 2019.1 (11.1) are not affected by this vulnerability, nor are installs of 2019.1 that do not use the MySQL database engine. MOVEit Transfer 2019.2 is also not affected by this vulnerability.
Customers using the MOVEit Cloud service are not affected by either of these vulnerabilities and do not need to take action. Customers using any of the MOVEit Transfer versions listed above are strongly recommended to upgrade their MOVEit Transfer implementations as detailed in these Knowledge Base articles:
Improper Authentication: https://community.ipswitch.com/s/article/SFTP-Auth-Vulnerability
We have addressed both of these issues and have made version-specific hotfixes available for customers to remediate them. As an important partner, you are receiving this pre-notification to allow time for you to review the issues addressed in the patches and adequately prepare for assisting customers. A similar customer communication is being sent out in 2 days.
Sollten Sie hierzu Fragen haben, können Sie uns gerne telefonisch unter +49 6431-59870-0 oder per Mail an firstname.lastname@example.org erreichen.