Critical SQL injection flaw addressed by SonicWall

SonicWall has addressed a critical SQL injection flaw in its Analytics On-Prem and Global Management System offerings, which could be exploited to prompt unauthenticated SQL injection, according to The Hacker News. The vulnerability, tracked as CVE-2022-22280, was identified and reported by DBappSecurity HAT Lab researchers H4lo and Catalpa in Analytics On-Prem 2.5.0.3-2520 and earlier versions, as well as GMS versions 9.3.1-SP2-Hotfix1 and earlier. MITRE had noted that SQL injection vulnerabilities could be leveraged to modify query logic for security check evasion, as well as back-end database modification to prompt system command execution. "Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data," MITRE said. SonicWall noted that the vulnerability does not have any workaround. "However, the likelihood of exploitation may be significantly reduced by incorporating a Web Application Firewall (WAF) to block SQLi attempts," said SonicWall, which urged organizations to apply the Analytics 2.5.0.3-2520-Hotfix1 and GMS 9.3.1-SP2-Hotfix-2 updates.