Summary

Security Advisory ID : BSA-2021-1319

Component : Brocade SANnav

Revision : 1.0: Final

Brocade SANnav before v.2.1.0a could allow remote attackers cause a denial-of-service condition due to a lack of proper validation, of the length of user-supplied data as name for custom field name.
Note: When custom fields are added through the Inventory Custom Field Management pages, user-supplied values are not properly escaped, resulting in data corruption.  After the data is corrupted, additional requests cause the data to inflate, resulting in a resource exhaustion condition that causes SANnav to become unavailable until the data is cleared.

Affected Products

Brocade SANnav before v.2.1.0a.

Products Confirmed Not Vulnerable

No other Brocade Fibre Channel Products from Broadcom products are currently known to be affected by this vulnerability.

Solution.

A security update is provided in Brocade SANnav v.2.1.0a

Credit.

The issue was found through internal penetration testing.

Revision History