CVE-2022-2155 : What You Need to Know
Learn about CVE-2022-2155 affecting Lumada APM versions 6.0.0.0 - 6.4.0.*, allowing unauthorized access to Power BI reports & asset manipulation. Mitigation steps included.
A vulnerability exists in the Lumada APM’s User Asset Group feature due to a flaw in access control mechanism implementation on the “Limited Engineer” role.
Understanding CVE-2022-2155
This section will provide detailed insights into CVE-2022-2155.
What is CVE-2022-2155?
A vulnerability in Lumada APM allows unauthorized access to Power BI reports by exploiting the access control flaw on the “Limited Engineer” role.
The Impact of CVE-2022-2155
The vulnerability enables attackers to access unauthorized information and manipulate asset issue comments on assets.
Technical Details of CVE-2022-2155
This section covers the technical aspects of CVE-2022-2155.
Vulnerability Description
The vulnerability arises from a flaw in access control mechanism implementation, impacting Lumada APM versions 6.0.0.0 - 6.4.0.*.
Affected Systems and Versions
Lumada APM versions affected include 6.0.0., 6.1.0., 6.2.0., 6.3.0., and 6.4.0.0.
Exploitation Mechanism
Attackers can exploit the vulnerability to gain unauthorized access to embedded Power BI reports and manipulate asset issue comments.
Mitigation and Prevention
This section outlines the mitigation strategies and preventive measures for CVE-2022-2155.
Immediate Steps to Take
For Lumada APM version 6.4.0.*, update to version 6.4.0.1 or upgrade to 6.5.0.0. For versions prior to 6.4.0.0, upgrade to version 6.4.0.1 or newer.
Long-Term Security Practices
Disable the Power BI integration feature if unsupported, remove users with a “Limited Engineer” role, or assign them to a different role. Apply general mitigation factors as advised.
Patching and Updates
Ensure timely updating of Lumada APM to the recommended versions as mentioned in the solutions.