CVE-2022-29555 and CVE-2022-29556 - vulnerabilities in iot-manager and deviceconnect

We recently discovered two vulnerabilities in Mender, thanks to the security researchers April Chaire, Jeff Hofmann, Joey Perme, Nathaniel Singer and Matteo Tarbet, and we have now fixed them.

The deviceconnect microservice in Mender before version 3.2.2 allows Cross-Origin WebSocket Hijacking. The vulnerability is present in the following versions of the product: 2.6.x, 2.7.x, 3.0.x, 3.1.x, 3.2.0, 3.2.1. The vulnerability was patched in Mender 3.2.2. In the official public CVE registry, the issue's ID is CVE-2022-29555.

The iot-manager microservice Mender before version 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant actions via internal API endpoints. The vulnerability is present in the following versions of the product: 3.2.0, 3.2.1. The vulnerability was patched in Mender 3.2.2. In the official public CVE registry, the issue's ID is CVE-2022-29556.

The security of the Mender product and our users is something we take very seriously. We will continue to look for, fix and responsibly disclose serious weaknesses in our product(s). If you have any questions or concerns, please get in touch with the Mender support if you have a support contract or email security@northern.tech.

Recent articles

How over-the-air (OTA) updates help emergency response teams

How over-the-air (OTA) updates help emergency response teams

There’s no getting around it—we live in a connected world where almost every industry is dependent on the Internet of Things (IoT).
What’s hot in the open source and embedded community?

What’s hot in the open source and embedded community?

AI, robotics, IoT, AVs, and more – 2024 is proving to be an exciting year for technology. And the open source and embedded tech community is no exception.
How to use over-the-air (OTA) updates & NVIDIA Jetson Microservices

How to leverage over-the-air (OTA) updates with NVIDIA Microservices for Jetson

Mender, in collaboration with NVIDIA, published two critical use cases, providing a step-by-step guide to over-the-air (OTA) updates with NVIDIA Jetson.
View more articles

Learn more about Mender

Explore our Resource Center to discover more about how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices.

 
sales-pipeline_295756365