![]() ![]() ![]() The Fishbowl Server establishes a web server on 80/443 and a TCP Socket Server listening on port 28192 by default. Therefore, it is reasonable to assume that every internet-facing instance of Fishbowl, in its default configuration without additional firewall rules, would have been vulnerable to this exploit. White Oak Security confirmed that the vulnerable port (28192) was exposed on several hosts, however, White Oak Security did not attempt exploitation against any internet-facing host.Īs specified within the support library article below, the Fishbowl Server on port 28192 is exposed during default installations (1). Using Shodan, the Fishbowl Server can be found exposed on the internet on a handful of servers. The application consists of a web server, inventory server, and desktop application to interact with the servers and perform the business logic. Fishbowl Inventory Overviewįishbowl Inventory is an inventory management system that helps organize product inventory with accounting integrations and other necessary workflows. Disclosed vulnerability documentation via the support ticket.Ĥ/12/22: Received confirmation that the vulnerability details have been transferred to the development team.Ĥ/13/22: Development team confirms that the vulnerability is valid and they are working on a solution.Ĥ/25/22: Patch released to the general public with version 2022.4.1.Ĩ/18/22: White Oak Security publicly discloses the finding according to our vulnerability disclosure policy. White Oak Security followed responsible disclosure guidelin es by giving Fishbowl Inventory time to remediate this vulnerability and allow customers ample time to patch their instances.Ĥ/7/22: Attempted to contact Fishbowl Inventory via online support ticket.Ĥ/8/22: Received contact from Fishbowl Inventory. From our perspective, Fishbowl Inventory is doing everything right in this regard and we hope other organizations follow their lead. ![]() Fishbowl Inventory responded promptly to the original disclosure request and resolved the issue in a timely manner which is a very refreshing and mature response from the organization. Disclosure Timelineīefore we dive into the details, we want to give our thanks to the Fishbowl Inventory support and development team for their constant communication providing updates while disclosing this issue. This issue has been remediated as of release 2022.4.1.ĬVE-2022-29805 has been published for this vulnerability. White Oak Security discovered an instance of Fishbowl Inventory that was vulnerable to a Java deserialization vulnerability, resulting in unauthenticated remote code execution. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |