Security Advisory - Three Vulnerabilities in Huawei FusionSphere

There is an incorrect authorization vulnerability in Huawei FusionSphere. An authenticated attacker could execute commands that he/she should have had no permission to perform, thereby querying, modifying, and deleting certain service data and making the service unavailable. (Vulnerability ID: HWPSIRT-2017-06166)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-8196.

There is a command injection vulnerability in Huawei FusionSphere due to insufficient input validation. An authenticated, remote attacker could craft packets with malicious strings and send them to a target device. Successful exploit could allow the attacker to launch a command injection attack and execute system commands. (Vulnerability ID: HWPSIRT-2017-06167)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-8197.

There is an SQL injection vulnerability in Huawei FusionSphere due to the insufficient input validation. An authenticated, remote attacker could craft interface messages carrying malicious SQL statements and send them to a target device. Successful exploit could allow the attacker to launch an SQL injection attack and execute SQL commands. (Vulnerability ID: HWPSIRT-2017-06168)
This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2017-8198.

Huawei has released software updates to fix these vulnerabilities. This advisory is available at the following link:
http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170913-01-fusionsphere-en