SMB SSL-VPN - Does the jQuery vulnerability (CVE-2011-4969) affects SRA/SMA devices?

Description

Customers running vulnerability scans may get reports indicating that the SRA/SMA is affected by the vulnerability CVE-2011-4969. More information about this vulnerability can be found in the following link: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969

Resolution

According to our engineering department the SRA/SMA is not vulnerable to the jQuery vulnerability. Even when the SRA is using an affected version of jQuery (1.4.2), we are not using location.hash within a jquery selector which is what exposes the application to a Cross-site scripting (XSS) attack.

Even when the SRA is not vulnerable, our engineers have patched the current jQuery version to be safe based on this patch: https://bugs.jquery.com/ticket/9521.

This patch will be included in the next 8.1.0.4 and 8.5.0.1 firmware releases.

Related Articles

  • SMA100 End of Support No-Charge Replacement FAQ
    Read More
  • SMA1000: Post upgrade to 12.5.0 on AWS and Azure, we show the error Could not retrieve the DNS settings once we log in to AMC/CMS console
    Read More
  • Firmware version required to upgrade to version 12.5.0.
    Read More

Categories

Secure Mobile Access
SMA 100 Series
not finding your answers?
Ask the Community