Are SMA 100 series appliances vulnerable to jQuery vulnerabilities?

Description

Are SRA / SMA 100 series appliances vulnerable to CVE-2011-4969 , CVE-2012-6708 and CVE-2015-9251?

Cause

CVE-2011-4969: XSS vulnerability in jQuery before 1.6.3, when using location.hash elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

CVE-2012-6708: jQuery before 1.9.0 is vulnerable to XSS attacks.

CVE-2015-9251: jQuery before 3.0.0 is vulnerable to XSS attacks when a cross-domain Ajax request is performed without the dateType option, causing text/javascript responses to be executed.

Resolution

Our SMA 100 series appliances uses jQuery 1.4.2 patched and has mechanisms to prevent XSS attack. So, it is confirmed that our SMA 100 series appliances are not vulnerable.

NOTE: jQuery patch was included from 8.1.0.4 and 8.5.0.1 onwards. Refer: SMB SSL-VPN - Does the jQuery vulnerability (CVE-2011-4969) affects SRA/SMA devices?

 

Related Articles

  • SMA100 End of Support No-Charge Replacement FAQ
    Read More
  • SMA1000: Post upgrade to 12.5.0 on AWS and Azure, we show the error Could not retrieve the DNS settings once we log in to AMC/CMS console
    Read More
  • Firmware version required to upgrade to version 12.5.0.
    Read More

Categories

Secure Mobile Access
SMA 100 Series
Vulnerabilities
not finding your answers?
Ask the Community