Network security enterprise SonicWall on Friday rolled out fixes to mitigate a critical SQL injection (SQLi) vulnerability impacting its Analytics On-Prem and Global Administration Procedure (GMS) merchandise.
The vulnerability, tracked as CVE-2022-22280, is rated 9.4 for severity on the CVSS scoring technique and stems from what the enterprise describes is an “improper neutralization of particular aspects” utilised in an SQL command that could direct to an unauthenticated SQL injection.
“With out ample elimination or quoting of SQL syntax in consumer-controllable inputs, the produced SQL query can result in those people inputs to be interpreted as SQL as a substitute of regular user details,” MITRE notes in its description of SQL injection.
“This can be utilized to change query logic to bypass security checks, or to insert extra statements that modify the back-conclude database, probably which include execution of system commands.”
H4lo and Catalpa of DBappSecurity HAT Lab have been credited with getting and reporting the flaws which have an affect on 2.5..3-2520 and previously variations of Analytics On-Prem as properly as all variations of GMS prior to and like 9.3.1-SP2-Hotfix1.
Corporations relying on susceptible appliances are recommended to upgrade to Analytics 2.5..3-2520-Hotfix1 and GMS 9.3.1-SP2-Hotfix-2.
“There is no workaround out there for this vulnerability,” SonicWall reported. “Having said that, the chance of exploitation may be appreciably diminished by incorporating a Web Software Firewall (WAF) to block SQLi attempts.”
Discovered this article appealing? Observe THN on Fb, Twitter and LinkedIn to read through more exceptional content we put up.
Some parts of this write-up are sourced from: