Patch out for critical SQLi bug in SonicWall management products

By on
Patch out for critical SQLi bug in SonicWall management products
SonicWall GMS

Rated as 9.4 out of 10 on CVSS.

Security subsidiary SonicWall has issued patches to fix a critical structured query language command injection (SQLi) vulnerability in two of its products, advising organisations to patch immediately.

The affected products are SonicWall Global Management System (GMS), and the on-premises version of the Analytics traffic data analyser. 

GMS can centrally manage SonicWall firewall, wireless, email security, secure remote access and X-Series solutions from a single console, the company said.

SQLi is a trivial-to-exploit vulnerability that allows attackers to issue queries to the database backend for websites, resulting in unauthorised actions and information leakage.

SonicWall said the vulnerability "results in an improper neutralisation of special elements used in an SQL command."

No workarounds are availble the bug, which is rated as 9.4 out of a possible 10, on the common vulnerabilities scoring system scale.

Users can add a web application firewall (WAF) to block SQLi attempts, however.

SonicWall advises users to update version and earlier versions of Analytics to version; likewise, GMS admins should update to the patched 9.3.1-SP2-Hotix-2 with all haste.

The security vendor said it is not aware of any active exploitation of the vulnerability, nor has it come across a proof of concept to demonstrate the flaw.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © . All rights reserved.

Most Read Articles

Log In

  |  Forgot your password?