Summary

A Security Researcher performing penetration testing raises CVEs in the Jetty version used by Brocade SANnav v2.1.1.

Brocade Statement

All supported versions of Brocade SANnav do not directly use Jetty.  The code is present within some versions of the SANnav product as it is contained within other third party components, but the Jetty code is not accessible to any SANnav user or external interface.  Additionally, starting with Brocade SANnav v2.2.1, the Ignite Jetty port is blocked.

• The vulnerabilities are not exploitable in All supported Brocade SANnav versions. Brocade SANnav is NOT AFFECTED.

CVE-2022-2191

All versions of Brocade SANnav -- Vulnerable_code_not_present 

CVE-2022-2047

SANnav v2.3.0 and later -- Vulnerable_code_not_present 

SANnav v2.2.x -- Not Exploitable --  Vulnerable_code_cannot_be_controlled_by_adversary

CVE-2022-2048

SANnav v2.3.0 and later -- Vulnerable_code_not_present

SANnav v2.2.x -- Not Exploitable -- Vulnerable_code_cannot_be_controlled_by_adversary

CVE-2021-34429

All versions of Brocade SANnav -- Vulnerable_code_not_present 

CVE-2021-34428

SANnav v2.3.0 and later -- Vulnerable_code_not_present

SANnav v2.2.x -- Not Exploitable -- Vulnerable_code_cannot_be_controlled_by_adversary

CVE-2021-28169

SANnav v2.3.0 and later -- Vulnerable_code_not_present

SANnav v2.2.x -- Not Exploitable -- Vulnerable_code_cannot_be_controlled_by_adversary

CVE-2021-28165

SANnav v2.3.0 and later -- Vulnerable_code_not_present

SANnav v2.2.x -- Not Exploitable -- Vulnerable_code_cannot_be_controlled_by_adversary

CVE-2021-28164

All versions of Brocade SANnav -- Vulnerable_code_not_present 

CVE-2021-28163

All versions of Brocade SANnav -- Vulnerable_code_not_present

CVE-2020-27223

SANnav v2.3.0 and later -- Vulnerable_code_not_present

SANnav v2.2.x -- Not Exploitable -- Vulnerable_code_cannot_be_controlled_by_adversary

CVE-2020-27218

SANnav v2.3.0 and later -- Vulnerable_code_not_present

SANnav v2.2x -- Not Exploitable -- Vulnerable_code_cannot_be_controlled_by_adversary

CVE-2020-27216

SANnav v2.3.0 and later -- Vulnerable_code_not_present

SANnav v2.2.x -- Not Exploitable -- Vulnerable_code_cannot_be_controlled_by_adversary

CVE-2019-17638

All versions of Brocade SANnav -- Vulnerable_code_not_present 

CVE-2019-17632

All versions of Brocade SANnav -- Vulnerable_code_not_present 

CVE-2019-9518

All versions of Brocade SANnav -- Not exploitable -- Vulnerable_code_cannot_be_controlled_by_adversary

CVE-2019-9516

SANnav v2.3.1 -- Vulnerable_code_not_present

SANnav v2.3.0 and v2.2.x  -- Not Exploitable -- Vulnerable_code_cannot_be_controlled_by_adversary

CVE-2019-9515

All versions of Brocade SANnav --  Not Exploitable -- Vulnerable_code_cannot_be_controlled_by_adversary

CVE-2019-9514

All versions of Brocade SANnav -- Not Exploitable -- Vulnerable_code_cannot_be_controlled_by_adversary

CVE-2019-9512

All versions of Brocade SANnav -- Not Exploitable -- Vulnerable_code_cannot_be_controlled_by_adversary

CVE-2019-9511

All versions of Brocade SANnav -- Not Exploitable -- Vulnerable_code_cannot_be_controlled_by_adversary

CVE-2019-10247

SANnav v2.3.0 and later -- Vulnerable_code_not_present

SANnav v2.2.x -- Not Exploitable -- Vulnerable_code_cannot_be_controlled_by_adversary

CVE-2019-10246

All versions of Brocade SANnav -- Vulnerable_code_not_present

CVE-2019-10241

SANnav v2.3.0 and later -- Vulnerable_code_not_present

SANnav v2.2.x -- Not Exploitable -- Vulnerable_code_cannot_be_controlled_by_adversary

Revision History

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.