Critical CVE Addressed in Secure Access 13.05
Last updated: Nov 15, 2023
Important: Critical Secure Access Server Security Update for ALL Customers
The Publisher component of all versions of Secure Access / NetMotion Mobility prior to v13.05 is affected by CVE-2023-46604 (CVSS 9.8, Critical).
The CVE describes a remote code execution vulnerability in Apache ActiveMQ. Attackers with network access to the Publisher may be able to take control of the Publisher server and gain Windows system level permissions. In the typical deployment, the most likely attack vector is that of an insider attack.
For v12.x and v13.x customers: The attack can be mitigated by installing the update and following our recommendations for securely configuring the Secure Access pool.
For v11.x customers: The Analytics module, an optionally licensed feature of Mobility v11.x, is also affected by this CVE. Attackers with network access to the server hosting this feature may be able to gain Windows system permissions.
End of Life for the Analytics module was announced in October of 2020 and took effect in September of 2021. As previously announced, the remaining v11.x product will be End of Life in Feb 2024. Version 11 license holders who are still running the Analytics module should either uninstall the Analytics module or upgrade to version 13.x.
Absolute recommends that customers update their Secure Access servers to 13.05 as soon as possible.
Customers can download the latest Secure Access and Insights for Network from the Download Portal