Security Advisory - Fix available for unauthenticated blind SQL injection vulnerability issue. Apply the latest service pack.

Security Advisory - Fix available for unauthenticated blind SQL injection vulnerability issue. Apply the latest service pack.

This is a security advisory for Firewall Analyzer customers using versions 123045 or earlier. We recommend that you  upgrade to the latest version of  Firewall Analyzer, 123057, to fix the security vulnerability described below.  

Description: Firewall Analyzer contained a vulnerability through which it was possible to upload files using an unauthenticated servelet. This was identified and disclosed by Digital Defense, a provider of security risk assessment solutions. For details, please refer to the public disclosure published on January 30th.

Severity: Very high.


Affected users: Firewall Analyzer customers using version 123045 or earlier.


Background: Digital Defense responsibly disclosed the vulnerability to ManageEngine in November of 2017. Shortly afterwards, our security and development teams touched base with Digital Defense to gather more information. We accord the highest priority to fixing vulnerabilities, and this particular vulnerability was addressed on January 2nd with an update to Firewall Analyzer (123057). Customers using this version and above already have protection from the disclosed vulnerability.


Next step: Download the upgrade pack from https://www.manageengine.com/products/firewall/service-packs.html and immediately upgrade to the latest version (123057). Please read the upgrade instructions carefully before beginning the upgrade. For assistance, write to fwanalyzer-support@manageengine.com or call us toll-free at +1.888.720.9500.


Important note: As always, make a copy of the entire Firewall Analyzer installation folder before applying the upgrade and keep the copy in a separate location. If anything goes wrong during the upgrade, you'll have this copy as a backup, which will keep all your settings intact. If you're using a MS SQL server as a back-end database, back up the Firewall Analyzer database before upgrading. Once the upgrade is successfully completed, remember to delete the backup.


We offer our sincerest apologies for any inconvenience this may have caused.

Team ManageEngine Firewall Analyzer

 

Best regards,

ManageEngine Firewall Analyzer