CVE-2020-11853

Name of the Vulnerable Software and Affected Versions Operation Bridge Manager versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.6x, 10.1x and older versions Application Performance Management versions 9.51, 9.50, 9.40 with uCMDB 10.33 CUP 3 Data Center Automation version 2019.11 Operations Bridge (containerized) versions 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11 Universal CMDB versions 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30 Hybrid Cloud Management version 2020.05 Service Management Automation versions 2020.5, 2020.02

Description The issue is an arbitrary code execution vulnerability affecting multiple Micro Focus products. It could allow the execution of arbitrary code. The vulnerability is related to the deserialization of untrusted data in various services, including PackageFacadeForGui, LocationService, MultiTenancyService, WatchServerAPI, ImpactService, SAMDownloadServlet, ServiceDiscoveryService, MailService, CMSImagesService, GenericAdapterService, CITService, TopologyService, AutomationMappingService, FoldersFacade, RegistrationServlet, SnapshotService, BusinessModelFacadeForGui, DataAcquisitionService, BundleService, CategoryFacadeForGui, CIService, PatternService, CorrelationRunnerFacade, HistoryService, LicensingService, RelatedCIsService, ClassModelService, LDAPService, ResourceManagementService, SecurityService, PermissionsService, SchedulerFacadeForGui, SchedulerService, DiscoveryService, CmdbOperationExecuterService, CommonService, SoftwareLibraryService, CorrelationFacadeForGui, FolderService, ReportService.

Recommendations Operation Bridge Manager versions 2020.05, 2019.11, 2019.05, 2018.11, 2018.05, 10.6x, 10.1x and older versions: Update to a version that is not affected by this issue. Application Performance Management versions 9.51, 9.50, 9.40 with uCMDB 10.33 CUP 3: Update to a version that is not affected by this issue. Data Center Automation version 2019.11: Update to a version that is not affected by this issue. Operations Bridge (containerized) versions 2019.11, 2019.08, 2019.05, 2018.11, 2018.08, 2018.05, 2018.02, 2017.11: Update to a version that is not affected by this issue. Universal CMDB versions 2020.05, 2019.11, 2019.05, 2019.02, 2018.11, 2018.08, 2018.05, 11, 10.33, 10.32, 10.31, 10.30: Update to a version that is not affected by this issue. Hybrid Cloud Management version 2020.05: Update to a version that is not affected by this issue. Service Management Automation versions 2020.5, 2020.02: Update to a version that is not affected by this issue. As a temporary workaround, consider disabling the deserialization of untrusted data in the affected services until a patch is available.