CVE-2024-7654

Name of the Vulnerable Software and Affected Versions OpenEdge Management versions prior to 12.8.1

Description The issue concerns an ActiveMQ Discovery service that was reachable by default from an OpenEdge Management installation when the OEE/OEM auto-discovery feature was activated. Unauthorized access to the discovery service's UDP port allowed content injection into parts of the OEM web interface, making it possible for other types of attacks that could spoof or deceive web interface users.

Recommendations For OpenEdge Management versions prior to 12.8.1, upgrade the affected component immediately to remediate the unauthorized use of the OEE/OEM discovery service. As a temporary workaround, consider deactivating the discovery service by default until a patch is available. Restrict access to the vulnerable ActiveMQ Discovery service to minimize the risk of exploitation.