Genian NAC Security Advisories

Last Updated: 2024-04-01

Security Vulnerability

Fixed Versions Key Components Description Affects Versions CVSS Score
5.0.72 (RC) GN-26504 WebUI Vulnerability where internal network information can be queried through CWP 5.0.0, 6.0.0 4.3
5.0.68 GN-26452 WebUI A vulnerability that can modify a user's immutable information 5.0.0, 6.0.0 2.2
5.0.62 GN-26723 WebUI Vulnerability fixes that are not immediately reflected when the administrator's rights are changed   3.3
5.0.61, 5.0.56, 5.0.55 (LTS) GN-28063 WebUI A problem where blind injection is possible in the node management search bar   2.2
5.0.60, 5.0.56, 5.0.55 (LTS) GN-27242 WebUI A vulnerability where SQL injection is possible through the user search screen in NAC 5.0 5.0.15 4.8
5.0.60, 5.0.56, 5.0.55 (LTS) GN-27107 WebUI Service disabled by executing a Tomcat restart command by an unauthorized administrator 5.0.41 2.7
5.0.58, 5.0.56, 5.0.55 (LTS) GN-26393 WebUI Vulnerability where information can be modified by directly entering a URL to an unauthorised page   3.1
5.0.58, 5.0.56, 5.0.55 (LTS) GN-26390 WebUI File export permission bypass vulnerability for unauthorized administrators through the Audit Log REST API   3.1
5.0.57, 5.0.56, 5.0.55 (LTS), 5.0.42 GN-26315 WebUI Improved two-step verification to limit the number of times the verification code can be entered and the time limit   4.3
5.0.57, 5.0.56, 5.0.55 (LTS) GN-27492 WebUI Tomcat version upgrade (8.5.94 -> 8.5.96/9.0.81 -> 9.0.83)   7.5
5.0.57, 5.0.56, 5.0.55 (LTS) GN-27278 WebUI Tomcat version upgrade (8.5.94/9.0.81)   7.5
5.0.57, 5.0.56, 5.0.42 GN-26600 WebUI The problem of not being able to log in after an abnormal API call 5.0.42, 5.0.49, 6.0.7, 4.0.156, 5.0.56 5.3
5.0.56, 5.0.55 (LTS), 5.0.53, 5.0.42 GN-26814 Center Code improvements to Bufferoverflow   2
5.0.56, 5.0.55 (LTS), 5.0.42 GN-26865 WebUI XSS input vulnerability in dashboard widget settings   1.2
5.0.56, 5.0.55 (LTS), 5.0.42 GN-26835 Center Command Injection vulnerability via SQL used to update data   6.6
5.0.56, 5.0.55 (LTS), 5.0.42 GN-26833 Sensor nmap script tampering vulnerability during sensor NMDB update   4.1
5.0.56, 5.0.55 (LTS), 5.0.42 GN-26725 Linux Agent, macOS Agent, Windows Agent [Agent] Added validation for events sent from the Center and sensors   6.3
5.0.56, 5.0.55 (LTS), 5.0.42 GN-26696 Sensor Insufficient validation of incoming sensor events   6.3
5.0.56, 5.0.55 (LTS), 5.0.42 GN-26694 Center Parameter injection vulnerability due to insufficient verification of download URLs   6.6
5.0.56, 5.0.55 (LTS), 5.0.42 GN-26383 WebUI Vulnerability where html/script code can be injected   5.3
5.0.56, 5.0.55 (LTS) GN-26935 WebUI Vulnerability where an html tag output as a department name is executed in a tree 5.0.0 1.2
5.0.55 (LTS) GN-26222 WebUI A problem where redirection can be performed by modulating the returnURL parameter used when moving pages in the management console   1.9
5.0.54, 5.0.53, 5.0.50, 5.0.42 GN-26460 Windows Agent A vulnerability that allows an ordinary user to obtain PC administrator rights via an agent 5.0.0, 6.0.0 4.6
5.0.54, 5.0.53, 5.0.50, 5.0.42 GN-26392 WebUI Vulnerability that allows unprivileged administrators to download debug logs   2.9
5.0.54, 5.0.53, 5.0.50, 5.0.42 GN-26368 WebUI Vulnerability where an administrator's API key is exposed to other administrators   5.3
5.0.54 GN-26391 WebUI Vulnerability where an unauthorized administrator can view debug logs in real time 5.0.0, 6.0.0 2.9
5.0.53, 5.0.50, 5.0.42 GN-26286 WebUI An issue where Google OTP 2-step verification can pass 2-step verification by receiving a new security key   6.5
5.0.53, 5.0.50, 5.0.42 GN-26205 Database MySQL version upgrade 5.7.40 -> 5.7.41    
5.0.53, 5.0.50, 5.0.42 GN-26062 Center, macOS Agent, Sensor, Windows Agent OpenSSL 1.1.1t upgrade - Passing random pointers to memcmp calls can read memory contents or cause denial of service   7.4
5.0.53, 5.0.50 GN-26150 WebUI Tomcat version upgrade (9.0.68 -> 9.0.72, 8.5.78 -> 8.5.86)    
5.0.53, 5.0.50 GN-25869 CWP A problem where only an account (ID) is authenticated when CWP is authenticated using the agent user authentication menu when the IP management message is first on 6.0.3, 5.0.46 3.4
5.0.51, 5.0.50, 5.0.42 GN-26000 MySQL MySQL version upgrade 5.7.33 -> 5.7.40    
5.0.50, 5.0.42 GN-26051 WebUI 5.0 WebUI lib vulnerability check    
5.0.50, 5.0.42 GN-25982 WebUI CSP and HSTS headers added to WebUI Response Headers    
5.0.50, 5.0.42 GN-25925 IPMGMT, WebUI IP Application System > IP Application Screen XSS Possible Problems   5.4
5.0.50, 5.0.42 GN-25875 Windows Agent A problem where agents have high privileges when running a web browser 4.0.0, 5.0.0, 6.0.0 3.3
5.0.50, 5.0.42 GN-25847 WebUI Added a re-authentication procedure when accessing the user information modification page on the CWP screen   4.2
5.0.50, 5.0.42 GN-25740 WebUI Issues where XSS is possible in Audit > Logs > Log search bar   5.6
5.0.50 GN-25811 IPMGMT A problem where you can log in with only a user ID via frontpage in the IP application system   4.9
5.0.50 GN-25250 WebUI Possible problems with XSS when/is appended after the HTML Tag string   4.9
5.0.50 GN-23677 Center, Sensor Administrator approval system to enhance security when registering sensor policy servers   7.9
5.0.49, 5.0.42 GN-25753 WebUI Improved so that CWP does not redirect to an illegal path via the PAGEFW parameter   4.2
5.0.49, 5.0.42 GN-25561 WebUI Blind SQL Injection vulnerability in node search bar   5.3
5.0.49, 5.0.42 GN-25184 Sensor Modified Dnsmasq to not cache query results in order to prevent DNS Cache Attacks   3.7
5.0.49, 5.0.42 GN-25119 macOS Agent Upgrade to the latest versions of macOS Agent, OpenVPN (2.5.7), and OpenSSL (1.1.1q)   5.3
5.0.49 GN-25193 WebUI [Universal OS Ubuntu] Management Console > An issue where the 'X-Frame-Options' header on the CWP Design Template list page is displayed as allowall   6.5
5.0.48, 5.0.42 GN-25438 Center, Sensor Improved the _filelist.html file to be generated differently for each center   3
5.0.48, 5.0.42 GN-25306 WebUI A problem where usable method information is output through an unused HTTP-method   5.3
5.0.47, 5.0.42 GN-25104 Center, macOS Agent, Sensor, Windows Agent Upgrading to the latest version of OpenSSL (OpenSSL 1.1.1q)   5.3
5.0.47, 5.0.42 GN-25064 WebUI Web service vulnerability improved so that Apache WAS information is not exposed 4.0.119, 5.0.16 2.5
5.0.47 GN-23947 Windows Agent Windows Agent Secure Coding Check Results Vulnerability Patch 5.0.0, 6.0.0  
5.0.46, 5.0.42 GN-24917 Center, macOS Agent, Sensor, Windows Agent Upgrading to the latest version of OpenSSL (OpenSSL 1.1.1o)   9.8
5.0.46, 5.0.42 GN-24908 WebUI Tomcat version upgrade (8.5.78)   8.6
5.0.46, 5.0.42 GN-24851 Center Apache HTTP Server 2.4.53 upgrade   9.8
5.0.45, 5.0.42 GN-24689 WebUI Issues where XSS is possible in Audit > Logs > Log Search   4.3
5.0.45, 5.0.42 GN-24687 WebUI An issue where files can be accessed by relative paths on the debug log screen   3.83
5.0.45, 5.0.42 GN-24651 Center, macOS Agent, Windows Agent Upgrading to the latest version of OpenSSL (OpenSSL 1.1.1n) 4.0.0, 5.0.0, 6.0.0 7.5
5.0.45, 5.0.42 GN-24535 WebUI Remove logstash   5.9
5.0.44, 5.0.42 GN-24305 GNOS 2.4.52 version upgrade for Apache vulnerability measures   9.8
5.0.44, 5.0.42 GN-24253 WebUI log4j vulnerability improvements   9.8
5.0.42 GN-24030 GNOS Removing the reverse shell feature from the netcat (nc) command included with the product    
5.0.42 GN-24014 Center SOAP/REST restrictions that can be called via HTTP   2.5
5.0.42 GN-23981 macOS Agent, Windows Agent An abnormal termination issue due to packet manipulation of UDP events to the agent   3.4
5.0.42 GN-23977 macOS Agent, Windows Agent Fixed an XSS vulnerability when the agent displayed instant messages   6.8
5.0.42 GN-23972 Center, Sensor A problem where the daemon may terminate abnormally when processing UDP event packets 5.0.36 6.4
5.0.42 GN-23970 WebUI Administrator login bypass vulnerability using mobile apps   6.1
5.0.42 GN-23967 WebUI REST API Command Injection   6.7
5.0.42 GN-23966 WebUI XSS attack vulnerability when applying as an Excel file when applying as a CWP user   6.8
5.0.42 GN-23965 WebUI Internal file download vulnerability via a relative path on the Agent Download page 5.0.37 5.2
5.0.42 GN-23794 WebUI A problem where the REST API can be called even if there is no valid authentication base when calling the REST API   4.9
5.0.42 GN-23743 Center Improving Denial of Service (DoS) vulnerabilities through APIs   6.4
5.0.42 GN-23714 Center Complementing agent-related APIs with poor authentication   4.6
5.0.42 GN-23708 Center Complementing sensor-related APIs with poor authentication   4.6
5.0.42 GN-23706 Center Internally used SOAP API vulnerability exposed externally via RPC    
5.0.42 GN-23705 WebUI (KVE-2021-1062) Enhanced name validity check for the file upload component in Conf Engine   6.7
5.0.42 GN-23702 WebUI (KVE-2021-1062) SSTI vulnerability in CWP Design Template    
5.0.42 GN-23701 Windows Agent (KVE-2021-1062) Vulnerability where relative paths can be used when generating agent files   6.1
5.0.42 GN-23700 Center (KVE-2021-1061) A vulnerability that allows a node to change passwords even if you are not an authenticated user   8.7
5.0.42 GN-23699 Center, Sensor (KVE-2021-1061) Vulnerability where information from all nodes can be obtained without sensor information    
5.0.42 GN-23663 macOS Agent, Windows Agent Agent OpenSSL 1.1.1l update   9.8
5.0.42 GN-23662 GNOS Upgraded to openSSL version 1.1.1l 4.0.146, 5.0.44, 6.0.1 9.8
5.0.42 GN-23578 WebUI REST API vulnerability improvements   6.8
5.0.42 GN-23563 Center Fixes to defend against command injection attacks   8
5.0.42 GN-23533 Center Improved so that unusable plug-ins are not delivered to agents   7.6
5.0.42 GN-23500 Center Improved SQL Injection defense processing method   8.7
5.0.42 GN-23499 GNOS Remove the vulnerable LD_LIBRARY_PATH environment variable within GNOS    
5.0.42 GN-23488 WebUI [SaaS] SaaS security authentication WAS (Tomcat) vulnerability improvements   7.5
5.0.42 GN-23446 gnlogin, WebUI Handle passwords so that specific words cannot be used   8.7
5.0.42 GN-23377 GNOS Upgrading openssh to version 8.6p1    
5.0.42 GN-23358 WebUI [CC] Web vulnerability check results security   6.5
5.0.42 GN-23237 GenianOS Apache httpd (2.4.48)/tomcat (8.5.63) upgrade   7.5
5.0.42 GN-23233 ElasticSearch [CC] Elasticsearch upgraded to version 5.6.16   8.8
5.0.42 GN-23055 WebUI Secure coding inspection result vulnerability patch - javascript 5.0.42  
5.0.42 GN-22473 Center Improved secure coding check results - using insufficient random values   7.5
5.0.41 GN-22872 -Unknown/None- openssl 1.1.1k patch   7.4
5.0.41 GN-22747 Database GNOS MySQL 5.7 upgrade    
5.0.41 GN-22558 -Unknown/None- Version upgrade to fix the DNSMASQ vulnerability   8.1
5.0.41 GN-22551 WebUI Secure Coding Check Result Vulnerability Patch - Java Code   9.3
5.0.41 GN-22475 Center Improved secure coding check results - error condition detection without action   1.8
5.0.41 GN-21728 -Unknown/None- OpenSSL upgrade (1.0.2u -> 1.1.1j)   9.8
5.0.40 GN-22461 WebUI Tomcat version upgrade (7.0.104 --> 7.0.107/8.5.55 --> 8.5.61)   5.9
5.0.39 GN-21985 WebUI Management console vulnerability improvements (XSS attacks, error code exposure)   4.3
5.0.38 GN-21396 WebUI Improved to restrict SQL syntax and system variables that cannot be used in the node management search bar   4.5
5.0.37 GN-21879 WebUI Improving authentication rights theft through CWP vulnerabilities   6.2
5.0.36, 5.0.35 GN-21843 Center Modified to escape parameter values in excepted SOAP APIs that do not check SQL injections    
5.0.35 GN-21647 Database MySQL upgrade (5.6.47 -> 5.6.48)    
5.0.34 GN-21766 Center Improved audit log when uploading from Genian Syncer to the center    
5.0.34 GN-21513 WebUI Fixed an issue where a dedicated error page was not displayed when a 501 error occurred due to a web vulnerability   0.6
5.0.33 GN-21641 macOS Agent, Windows Agent Agent upgraded to the latest version of openSSL (OpenSSL 1.0.2u)    
5.0.33 GN-21640 GenianOS Upgrading to the latest version of openSSL (OpenSSL 1.0.2u)    
5.0.33 GN-21397 WebUI Tomcat version upgrade 7.0.100 --> 7.0.104/8.5.51 --> 8.5.55   7
5.0.33 GN-21386 GenianOS Apache httpd 2.4.43 upgrade    
5.0.32 GN-21181 Database MySQL upgrade (5.6.41 -> 5.6.47) and file permission changes    
5.0.32 GN-21084 WebUI Management console vulnerability improvements   7.5
5.0.31 GN-20848 WebUI Security vulnerability improvements - File upload extension bypass, access to files in the /disk/data/custom folder without authentication on the web, etc.   5.3
5.0.30 GN-20928 WebUI Tomcat version upgrade 7.0.99 --> 7.0.100/8.0.53 --> 8.5.51   4.8
5.0.30 GN-20875 WebUI Improved GET cross-site scripting (XSS) vulnerability   1.6
5.0.30 GN-20874 GNOS Bash vulnerability (shellshock) patch 4.1.3  
5.0.28 GN-20471 Center Upgrading to the latest version of openSSL (OpenSSL 1.0.2t)    
5.0.28 GN-20443 macOS Agent, Windows Agent Agent upgraded to the latest version of openSSL (OpenSSL 1.0.2t)    
5.0.27 GN-18882 WebUI Improved management console vulnerabilities discovered by the OWASP ZAP tool    
5.0.21 GN-19317 GenianOS Version patch due to the opensshd vulnerability 5.0.8, 4.0.111, 4.0.34  
5.0.19 GN-19203 Center, WebUI Apache httpd 2.4.39 upgrade    
5.0.17 GN-19044 GenianOS Upgrading to the latest version of openSSL (OpenSSL 1.0.2r)    
5.0.17 GN-18607 WebUI tomcat-connectors version upgrade