Chat now with support
Chat with Support

Welcome, erwin customers to Quest Support Portal click here for for frequently asked questions regarding servicing your supported assets.

Self Service Tools
Knowledge Base
My Account
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Support Essentials
Awards and Testimonials
Getting Started
License Agreement
Support Guide

Foglight Product Notification

Return
Critical Alerts

Critical Product Notification Foglight Path Traversal in Servlet

Critical Product Notification

Foglight™ Enterprise 5.6.11.2 (and prior versions)
Foglight for Virtualization, Enterprise Edition 7.2 (and prior versions)
Foglight for Storage Management 3.2 (and prior versions)

Problem

Path Traversal in Servlet

The Foglight web console provides some limited services to the user, even if they have not logged in.  These services are intended to help the user to quickly download and setup additional infrastructure.  If the user edits the URL used for downloading, the Foglight Servlet that manages the download permits “../” to be used as part of the filename. Using “../” permits the user to traverse up the filesystem tree, and potentially get blind-access to other files on the filesystem.

How does this affect Foglight?

Anyone with http or https access to the Foglight server could download files from the Foglight Management Server. (Any files with read access granted to the user that is running Foglight processes are candidates). Furthermore, the servlet automatically deletes such files after download if the user running the Foglight server has write permission to the directory and file.

Versions impacted:

Foglight Enterprise:
5.6.2*, 5.6.3*, 5.6.4*, 5.6.4.1*, 5.6.4.2*, 5.6.5, 5.6.7, 5.6.10, 5.6.10.1, 5.6.11, 5.6.11.1, 5.6.11.2

* These product versions have reached end of life.
This vulnerability does not exist on Foglight 5.7.x or higher, on Foglight for Virtualization, Enterprise Edition 8.0 or higher, or on Foglight for Storage Management 4.0 or higher. Foglight for Virtualization, Standard Edition is not affected by this issue.

Workaround/Resolution

Quest Inc. recommends applying Foglight 5.6.11.3 for those users currently running version 5.6.11, 5.6.11.1, or 5.6.11.2. If you are running on a Foglight version lower than 5.6.11, it is recommended that you either:

  • Upgrade your Foglight Management Server to 5.6.11, then apply 5.6.11.3.
    • vFoglight or Foglight for Virtualization, Enterprise Edition 6.x or 7.x users should upgrade to version 7.2, which is based on Foglight Management Server 5.6.11.1, and then apply 5.6.11.3.
    • Foglight for Storage Management 3.x users should upgrade to version 3.2, which is based on Foglight Management Server 5.6.11.1, and then apply 5.6.11.3.
  • Secure http and https access to your Foglight Management Server to trusted individuals.

If neither of these options is possible for you, speak to your Quest Sales representative.

Status

If you need technical assistance regarding this notification, please log a Service Request or use the Contact Support page for other contact methods available.

Thank You,

Quest