Notified:  May 14, 2013 Updated: July 18, 2013

Statement Date:   July 17, 2013

Status

Affected

Vendor Statement

Security Advisory WAVE-2013-001 Severity: Moderate Affected products:   ERAS 2.8.4 Helpdesk   ERAS 2.9.5 Helpdesk CERT Vulnerability Note:  http://www.kb.cert.org/vuls/id/217836 Details Input validation vulnerabilities were discovered in ERAS helpdesk. A remote authenticated privileged administrator could possibly use these vulnerabilities to perform an SQL injection attack allowing them to directly manipulate the contents of the ERAS database or execute arbitrary commands on the database server. (CVE-2013-3577 CVE-2013-3578) By design, only privileged administrators may access the ERAS Help Desk and each enterprise manages the list of privileged administrators.  This vulnerability can only be exploited by those privileged administrator accounts. Enforcing strong user permissions for those accounts can help mitigate the vulnerability by minimizing the attack surface. Customers are advised to upgrade to ERAS 2.9.5 Service Pack 2, which resolves these issues. Solution Additional input validation checks were implemented in ERAS 2.9.5 Service Packs 1 and 2 to fix these vulnerabilities. All customers with ERAS deployments should upgrade to ERAS 2.9.5 SP2 which is available from http://www.wave.com/support

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• http://www.wave.com/support