If you use an on-premise installation of an AEB application and also operate an ACMS, this may include the “Web ACMS” web interface module. To prevent exploitation of a recently discovered vulnerability, we recommend measures for renaming or deleting files.
The Web ACMS interface is an add-on component that allows users and administrators to check details of the data flow without stopping the service. This can therefore be disabled without restricting the basic functionality of ACMS.
Current status of February 3, 2022:
Meanwhile, the vendor has provided a new version for the Web ACMS component. The vulnerability was fixed with version 2.6. If you have an urgent need to use Web ACMS, submit a request to AEB Support.
Looking back: Status of January 24, 2022:
- The vulnerability has been identified: CVE-2021-44829
We are in contact with our supplier and have received the following proposed solution for the vulnerability in Web ACMS, which you can easily implement:
- Stop ACMS service
- Rename or delete Web ACMS components
- Start ACMS service
Rename or delete Web ACMS:
To do this, open the ACMS directory on the ACMS server:
%ACMS-Verzeichnis%\STD\webacms\html
Save a copy of this directory.
You can delete or rename the following folders and files to stop the Web ACMS service:
- Web ACMS folder
- *index*.html files
- notfound.html file
See screenshot:
A more long term solution has already been promised by the provider and we will provide more details here as soon as AEB receives further information.
Comments
The post on the Web ACMS vulnerability was updated with the current status of February 3, 2022. In the meantime, a new version of the provider has been released. AEB's recommendation continues to apply: Rename or delete the Web ACMS components, as this will not affect the ACMS functions.
Please sign in to leave a comment.