Progress OpenEdge AdminServer Arbitrary File Read Vulnerability

A vulnerability in the AdminServer component of Progress OpenEdge on all supported platforms allows authenticated users to gain OS-level access to the server through the privileges of the AdminServer process. This vulnerability enables users to read arbitrary files on the host system by misusing the setFile() and openFile() methods available through the RMI interface. The exploitation is limited by the OS-level permissions of the AdminServer's elevated rights and the user's access to these methods via RMI. The vulnerable methods have been removed, cutting off their RMI access.

Impact

Exploitation of this vulnerability could lead to unauthorized reading of files on the host system, bypassing normal OS-level file permission checks.

Remediation

Users are advised to upgrade to OpenEdge versions 12.2.19 or 12.8.11. For those on a current maintenance agreement, the upgrade is available through the Progress Community. Customers not under a maintenance agreement should contact their OpenEdge account representative. Additionally, for users who upgraded to OpenEdge versions 12.2.18 or 12.8.8 prior to this vulnerability being addressed, remote RMI capability in the AdminServer has been disabled by default. It is recommended to keep remote RMI disabled unless absolutely necessary.