A field in the Network Flow Analysis web application was found to be susceptible to SQL injection attacks.

Component : NQRPTA - REPORTERANALYZER

This vulnerability occurs when user-supplied input is used in the dynamic construction of a SQL query, without sufficient input validation being performed. This is usually a very serious vulnerability, as it effectively allows a remote attacker to execute (often arbitrary) SQL commands on the underlying database server with the privileges of the web application's database access, leaving the database open to execution of stored procedures, privilege escalation, and information retrieval. It is important to note that this issue could not be exploited by unauthenticated attackers.

The SQL injection issue identified above should be addressed by ensuring that user supplied input cannot be included in the SQL statements which are executed against the database.

In general, dynamic SQL should not be used within the application. Environments such as J2EE, ASP.NET, PHP, and Perl support the use of parameterised queries or prepared statements to ensure that the structure of the SQL statement is defined prior to entering user input.

If it is absolutely necessary to use dynamic SQL, user input should be validated and sanitised first. For example, numeric input should be passed through a numeric check, and string input should be sanitised so that the single quote (') character is escaped.

It is also recommended that the application developers review the code base to determine if any similar vulnerabilities exist – it is not always possible to identify all SQL injection vulnerabilities which are present in an application during a black box security assessment.

This fix is in NFA 21.2.2.

This defect has a patch separately for NFA 21.2.1, 10.0.7, 10.0.6, 10.0.5, 10.0.4, 10.0.3, and 10.0.2 GA releases. Below you can find the attached patches for the version you are running. Please download the proper file and follow the included instructions to apply it.