Mender blog

CVE-2022-29555 & CVE-2022-29556 - vulnerabilities in iot-manager and deviceconnect

We recently discovered two vulnerabilities in Mender, thanks to the security researchers April Chaire, Jeff Hofmann, Joey Perme, Nathaniel Singer and Matteo Tarbet, and we have now fixed them.

The deviceconnect microservice in Mender before version 3.2.2 allows Cross-Origin WebSocket Hijacking. The vulnerability is present in the following versions of the product: 2.6.x, 2.7.x, 3.0.x, 3.1.x, 3.2.0, 3.2.1. The vulnerability was patched in Mender 3.2.2. In the official public CVE registry, the issue's ID is CVE-2022-29555.

The iot-manager microservice Mender before version 3.2.2 allows SSRF because the Azure IoT Hub integration provides several SSRF primitives that can execute cross-tenant actions via internal API endpoints. The vulnerability is present in the following versions of the product: 3.2.0, 3.2.1. The vulnerability was patched in Mender 3.2.2. In the official public CVE registry, the issue's ID is CVE-2022-29556.

The security of the Mender product and our users is something we take very seriously. We will continue to look for, fix and responsibly disclose serious weaknesses in our product(s). If you have any questions or concerns, please get in touch with the Mender support if you have a support contract or email security@northern.tech.

Recent articles

Protecting patients in a connected healthcare world: Secure OTA updates for IoMT

Protecting patients in a connected healthcare world: Secure OTA updates for IoMT

Securely manage IoMT devices with medical-grade OTA updates to enhance patient outcomes and ensure regulatory compliance in the rapidly growing connected healthcare sector.
Over-the-air update strategies for Raspberry Pi-based embedded systems

Over-the-air update strategies for Raspberry Pi-based embedded systems

Discover effective OTA update strategies for Raspberry Pi-based embedded systems using Mender, focusing on system-level and application-level updates for reliability and efficiency.
How OTA updates reduce automotive recalls: A cost-saving strategy for software-defined vehicles

How OTA updates reduce automotive recalls: A cost-saving strategy for software-defined vehicles

OTA updates help automotive manufacturers cut recall costs, prevent software-related defects, and protect brand reputation.
View more articles

Learn why leading companies choose Mender

Discover how Mender empowers both you and your customers with secure and reliable over-the-air updates for IoT devices. Focus on your product, and benefit from specialized OTA expertise and best practices.

 
sales-pipeline_295756365