This document describes the position of Product Sustaining relative to the support of a branded application.
Overview
This document addresses concerns about the TIE Server and the vulnerability listed below:
Description
CVE-2022-24407
In Cyrus
SASL 2.1.17–2.1.27, plug-ins and
sql.c don't escape the password for an
SQL INSERT or
UPDATE statement.
National Vulnerability Database
The TIE Server engineering team has reviewed the vulnerability CVE-2022-24407 and determined that it applies to the TIE Server.
Resolution
Upgrade Cyrus to
cyrus-sasl-lib-2.1.23-17:
NOTE: Cyrus
sasl 2.1.23-17 is the latest version available for MLOS2.
- On the TIE server, open a command-line session as administrator.
- Download the Red Hat Package Manager cyrus package to the TIE Server.
- To view the current cyrus sasl library version installed, type the command below and press ENTER:
rpm -qa | grep -i Cyrus
- Upgrade the TIE Server to cyrus tlib-2.1.23-17 using the command below:
rpm -Uvh cyrus-sasl-lib-2.1.23-17.mlos2.x86_64.rpm
- To verify that the cyrus version is installed correctly, use the command below:
rpm -qa | grep -i Cyrus
NOTE: The expected version is 2.1.23-17.
- Restart the TIE server using the command below:
service tieserver restart
