CVE-2021-38135 – CVE-2021-38135 is an External Service Interacti... (How to Fix)

📋 TL;DR

CVE-2021-38135 is an External Service Interaction vulnerability in OpenText iManager that allows attackers to force the application to interact with arbitrary external services. This could lead to server-side request forgery (SSRF) attacks, potentially exposing internal systems or enabling further exploitation. Organizations running iManager 3.2.6.0000 are affected.

💻 Affected Systems

Products:

OpenText iManager

Versions: 3.2.6.0000

Operating Systems: All supported platforms

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments of the affected version are vulnerable regardless of configuration.

📦 What is this software?

Imanager by Microfocus

View all CVEs affecting Imanager →

Imanager by Microfocus

View all CVEs affecting Imanager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the iManager server, data exfiltration, lateral movement to internal systems, and potential ransomware deployment.

🟠

Likely Case

Unauthorized access to internal services, information disclosure from internal endpoints, and potential credential harvesting.

🟢

If Mitigated

Limited impact with proper network segmentation and egress filtering, potentially only denial of service against external services.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires understanding of iManager's API endpoints and external service interaction mechanisms.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.2.6.0000 with patch or later versions

Vendor Advisory: https://www.netiq.com/documentation/imanager-32/imanager326_releasenotes/data/imanager326_releasenotes.html

Restart Required: Yes

Instructions:

1. Download the latest patch from OpenText support portal
2. Backup current iManager installation
3. Apply the patch according to vendor instructions
4. Restart iManager services
5. Verify the fix by testing the vulnerability

🔧 Temporary Workarounds

Network Segmentation

all

Restrict iManager server's outbound network access to only required external services

Input Validation

all

Implement strict input validation on all user-controlled parameters that could trigger external requests

🧯 If You Can't Patch

Implement strict network egress filtering to limit iManager's outbound connections
Deploy web application firewall (WAF) rules to detect and block SSRF patterns

🔍 How to Verify

Check if Vulnerable:

Check iManager version via admin console or by examining installation files. Version 3.2.6.0000 without patches is vulnerable.

Check Version:

Check iManager web interface or consult installation documentation for version information

Verify Fix Applied:

Test the specific API endpoints that allow external service interaction to ensure they properly validate and restrict target URLs.

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from iManager server
Requests to internal IP addresses from iManager
Failed external service connection attempts

Network Indicators:

iManager server making unexpected outbound connections
Requests to unusual domains or internal addresses

SIEM Query:

source="imanager" AND (dest_ip=private_network OR dest_domain NOT IN allowed_domains)

📊 Metadata

CVE ID: CVE-2021-38135

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE: CWE-406

Published: November 22, 2024

Last Updated: March 4, 2025

🔗 References

https://www.netiq.com/documentation/imanager-32/imanager326_releasenotes/data/imanager326_releasenotes.html Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38135, you might also want to check these: