SonicWall, a security firm, issued patches to fix a severe SQL injection (SQLi) vulnerability in its Analytics On-Prem and Global Management System (GMS) products.
SonicWall patched a significant SQL injection (SQLi) vulnerability in its Analytics On-Prem and Global Management System (GMS) products, identified as CVE-2022-22280 (CVSS score 9.4).
“Improper Neutralization of Special Elements used in an SQL Command leading to Unauthenticated SQL Injection vulnerability, impacting SonicWall GMS and Analytics On-Prem.” reads the advisory published by the company.
According to SonicWall experts, adding a Web Application Firewall that can identify and stop SQLi assaults can considerably lower the risk of exploitation.
Hatlab DBappSecurity's H4lo and Catalpa identified the issue.
The following is a list of fixed software:
Product and Fixed Version
- GMS: 9.3.1-SP2-Hotfix-2
- Analytics: 2.5.0.3-2520-Hotfix1
Organizations are advised to upgrade to the above version as soon as possible.
“There is no workaround available for this vulnerability,” SonicWall said. “However, the likelihood of exploitation may be significantly reduced by incorporating a Web Application Firewall (WAF) to block SQLi attempts.”
