CVE-2021-22298

Vulnerability

A logic vulnerability exists in Huawei Gauss100 OLTP Product, specifically in ManageOne versions 6.5.1.1.B020, 6.5.1.1.B030, 6.5.1.1.B040, 6.5.1.SPC100.B050, 6.5.1.SPC101.B010, 6.5.1.SPC101.B040, 6.5.1.SPC200, 6.5.1.SPC200.B010, 6.5.1.SPC200.B030, 6.5.1.SPC200.B040, 6.5.1.SPC200.B050, 6.5.1.SPC200.B060, 6.5.1.SPC200.B070, 6.5.1RC1.B070, 6.5.1RC1.B080, 6.5.1RC2.B040, 6.5.1RC2.B050, 6.5.1RC2.B060, 6.5.1RC2.B070, 6.5.1RC2.B080, and 6.5.1RC2.B090 [1]. The root cause is insufficient security design, which enables an attacker with certain database permissions to execute a specific SQL statement that triggers a logic flaw [1].

Exploitation

The attacker must have certain database permissions on the affected ManageOne instance [1]. No user interaction is required beyond the attacker's own actions. The attacker crafts and executes a specific SQL statement that exploits the logic vulnerability [1]. The exact SQL details are not publicly disclosed.

Impact

Successful exploitation leads to an abnormal service condition (denial of service), affecting the availability of the affected system [1]. The confidentiality and integrity of data are not directly impacted per the available references.

Mitigation

Huawei has released software updates to fix this vulnerability. The recommended fix is to upgrade to ManageOne version 8.0.2 [1]. No workarounds or EOL status were disclosed in the references.