Patch out for critical SQLi bug in SonicWall management products

By

Rated as 9.4 out of 10 on CVSS.

Security subsidiary SonicWall has issued patches to fix a critical structured query language command injection (SQLi) vulnerability in two of its products, advising organisations to patch immediately.

Patch out for critical SQLi bug in SonicWall management products
SonicWall GMS
SonicWall

The affected products are SonicWall Global Management System (GMS), and the on-premises version of the Analytics traffic data analyser. 

GMS can centrally manage SonicWall firewall, wireless, email security, secure remote access and X-Series solutions from a single console, the company said.

SQLi is a trivial-to-exploit vulnerability that allows attackers to issue queries to the database backend for websites, resulting in unauthorised actions and information leakage.

SonicWall said the vulnerability "results in an improper neutralisation of special elements used in an SQL command."

No workarounds are availble the bug, which is rated as 9.4 out of a possible 10, on the common vulnerabilities scoring system scale.

Users can add a web application firewall (WAF) to block SQLi attempts, however.

SonicWall advises users to update version 2.5.0.3-2520 and earlier versions of Analytics to version 2.5.0.3-Hotfix-1; likewise, GMS admins should update to the patched 9.3.1-SP2-Hotix-2 with all haste.

The security vendor said it is not aware of any active exploitation of the vulnerability, nor has it come across a proof of concept to demonstrate the flaw.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

Eagers Automotive finds unauthorised access to parts of IT systems

Eagers Automotive finds unauthorised access to parts of IT systems

Hackers hit Victoria's court recording database

Hackers hit Victoria's court recording database

St Vincent's Health Australia warns cyber attack forensics could "take some time"

St Vincent's Health Australia warns cyber attack forensics could "take some time"

Yakult Australia confirms cyber incident

Yakult Australia confirms cyber incident

Log In

  |  Forgot your password?