メインコンテンツに移動
SuperDoctor5 Advisory, March 2023

Vulnerability Disclosure:

This disclosure communicates that an external group contacted Supermicro about the potential vulnerability of Supermicro products.

Acknowledgment:

Supermicro would like to acknowledge the work done by the researchers from Synacktiv based in the France for discovering a potential vulnerability in Supermicro SuperDoctor5 (SD5).

Findings:

Researchers have identified a vulnerability in Supermicro SuperDoctor5 (SD5) that may allow any authenticated user on the web interface to remotely execute arbitrary commands on the system where SuperDoctor5 (SD5) is installed.

An authenticated user can edit the log4j.properties file via the debug menu of the web application. Modifying specific parameters in this file allows a remote attacker to execute arbitrary code on the underlying system, as the root user.

CVE:

  • CVE: CVE-2023-26795
  • Severity: High
  • Found: Externally

Affected products:

Supermicro SuperDoctor5 (SD5) version 5.13.0

Solution:

Supermicro released version 5.14.0 that contains the fix to this vulnerability. The latest version 5.16.0 released on 12-05-2022 also contains the fix.