Security subsidiary SonicWall has issued patches to fix a critical structured query language command injection (SQLi) vulnerability in two of its products, advising organisations to patch immediately.
SonicWall
The affected products are SonicWall Global Management System (GMS), and the on-premises version of the Analytics traffic data analyser.
GMS can centrally manage SonicWall firewall, wireless, email security, secure remote access and X-Series solutions from a single console, the company said.
SQLi is a trivial-to-exploit vulnerability that allows attackers to issue queries to the database backend for websites, resulting in unauthorised actions and information leakage.
SonicWall said the vulnerability "results in an improper neutralisation of special elements used in an SQL command."
No workarounds are availble the bug, which is rated as 9.4 out of a possible 10, on the common vulnerabilities scoring system scale.
Users can add a web application firewall (WAF) to block SQLi attempts, however.
SonicWall advises users to update version 2.5.0.3-2520 and earlier versions of Analytics to version 2.5.0.3-Hotfix-1; likewise, GMS admins should update to the patched 9.3.1-SP2-Hotix-2 with all haste.
The security vendor said it is not aware of any active exploitation of the vulnerability, nor has it come across a proof of concept to demonstrate the flaw.
