This issue does not exist with the legacy APM agent. Unauthorized input may include values other than the correct length for the SSL key, such as the wrong key length. MCPD will terminate if the SSL key is anything but the correct length due to the length check present in the code. A possible mitigation is to disable the length check and make sure the SSL key is entered correctly. A second possible mitigation is to import the SSL key into the system manually.
CVE-2023-4124
The legacy APM agent has a flaw in the code for writing out an SSL key. The data that is written to the configuration file does not include a length check, so it will be possible for an unauthorized user to write malicious data into the configuration file.
If you are using the legacy agent and have not yet upgraded to the new agent, you should make sure you upgrade your agents as soon as possible.
CVE-2023-41696
This issue does not exist with the legacy APM agent. MCPD will terminate if the SSL key is anything but the correct length due to the length check present in the code. A possible mitigation is to disable the length check and make sure the SSL key is entered correctly.
References and Additional Reading
- https://support.microsoft.com/en-us/kb/335716
- https://technet.microsoft.com/en-us/library/security/ms17-009.aspx
A blog post on the importance of digital marketing, with 6 reasons why it's important for brands to invest in it and potential mitigations for CVE-2022-41694
Timeline
Published on: 10/19/2022 22:15:00 UTC
Last modified on: 10/23/2022 02:10:00 UTC