CVE-2022-27907 Sonatype Nexus Repository Manager 3.x before 3.38.0 allows SSRF.

This can be exploited by attackers to access and control other applications on the same server via the Service Manager interface. This issue has been addressed by deprecating the Service Manager SSRF interface. You can avoid this issue by upgrading to the latest version of Nexus Repository Manager 3.x.

Impossible to connect to users' session after upgrade to XE version.

Impossible to connect to users' session after upgrade to XE version. This issue can occur due to the change in the default SSL port from 443 to 8443 in XE version. In order to resolve this issue, you need to change the port in your server from 8443 to 443. The new port for XE is 443 and not 8443. In order to change the port, follow the steps provided in this link: https://support.citrix.com/article/en-us/self-troubleshooting-maintenance-updates?hl=upgrading-to-x/

How to do a manual check for updates?

To manually update your Citrix server, follow the steps below:
1. Open an elevated command prompt (run as administrator) on the machine that hosts your Citrix server.
2. Navigate to the following folder: C:\Program Files (x86)\Citrix\Receiver Store\SSRServiceBase\XE\Updates
3. Run the following command to check whether there are any updates available for you:
Update-Receiver-Xe -Server

Upgrade to latest version of Citrix Provisioning Service

This can be exploited by attackers to access and control other applications on the same server via the Service Manager interface. This issue has been addressed by deprecating the Service Manager SSRF interface. You can avoid this issue by upgrading to the latest version of Nexus Repository Manager 3.x.

Other Known Issues

- This release includes fixes for the following issues:

- CVE-2019-5110: A vulnerability in the MSI installer that could lead to arbitrary code execution.

- CVE-2022-27907: An SSRF issue with Service Manager that allows attackers to access other applications on the same server via the Service Manager interface.

- CVE-2020-4083: An SSRF issue in XConfigurator that allows attackers to access other applications on the same server via the XConfigurator interface.

Timeline

Published on: 03/30/2022 16:15:00 UTC
Last modified on: 04/07/2022 17:12:00 UTC

References

• https://sonatype.com
• https://support.sonatype.com/hc/en-us/articles/5011047953555
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-27907