Okta Active Directory Agent CVE-2022-1697
Description
Okta Active Directory Agent versions 3.8.0 through 3.11.0 installed the Okta AD Agent Update Service using an unquoted path.
Affected product and versions
Okta customers that have currently installed or previously had installed versions 3.8.0, 3.9.0, 3.10.0, and 3.11.0 of Okta Active Directory Agent.
Resolution
The vulnerability is resolved in Okta Active Directory Agent version 3.12.0. The Okta AD Agent Update Service is not capable of deploying all security enhancements that are introduced in version 3.12.0. To remediate this vulnerability, you must uninstall Okta Active Directory Agent and reinstall Okta Active Directory Agent 3.12.0 or greater per the documentation.
Severity details
To exploit this issue, a local attacker would need to have Administrator and local access to the Active Directory hosts where this agent is installed. The attacker would then need to determine if the vulnerable configuration exists and the unquoted path. Administrator privileges would be required to introduce malicious software into the unquoted path.
CVE details
| CVE ID | CVE-2022-1697 |
| Published Date | 2022-09-01 |
| Vulnerability Type | Unquoted Search Path or Element |
| CWE | CWE-428 |
| CVSS v3 | Score:3.9 Vector string:AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L |