Summary

Brocade Security has become aware of a stack buffer overflow that could  lead to a crash, causing Denial of Service, or potentially remote code execution.

A remote attacker can exploit a stack buffer overflow vulnerability by supplying a crafted Cryptographic Message Syntax (CMS) message with an oversized Initialization Vector (IV) when parsing AuthEnvelopedData structures that use Authenticated Encryption with Associated Data (AEAD) ciphers such as AES-GCM. This can lead to a crash, causing a Denial of Service (DoS), or potentially allow for remote code execution.Brocade SANnav OVA 2.4.0 and Brocade sannav_ova_8x_os_12_2024 SANnav OVA patch from December 2023 are upgraded to a new Rocky Linux Kernel. The upgrade has provided Security updates for numerous security vulnerabilities.

Products Affected

• Brocade SANnav OVA deployment version 3.0.0

 Product Confirmed not Affected.

• Brocade Fabric OS
  [VEX Justification:Vulnerable_code_not_in_execute_path]

• Brocade ASCG
  [VEX Justification: Vulnerable_code_not_in_execute_path]

• Brocade SANnav Standard Deployment
  [VEX Justification: Vulnerable_code_not_in_execute_path]

• Brocade SANnav OVA deployment versions before 3.0.0
  [VEX Justification: Vulnerable_code_not_in_execute_path]

Solution

• Security update provided in Brocade SANnav OS patch sannav_ova_9x_os_02_2026 that can be applied to Brocade SANnav 3.0.0

Revision History

Disclaimer

THIS DOCUMENT IS PROVIDED ON AN AS-IS BASIS SOLELY FOR INFORMATIONAL PURPOSES AND DOES NOT IMPLY ANY KIND OF GUARANTY OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. YOUR USE OF THE INFORMATION CONTAINED HEREIN IS AT YOUR OWN RISK. ALL INFORMATION PROVIDED HEREIN IS BASED ON BROCADE'S CURRENT KNOWLEDGE AND UNDERSTANDING OF THE VULNERABILITY AND IMPACT TO BROCADE HARDWARE AND SOFTWARE PRODUCTS. BROCADE RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.