Login Sign Up

CVE-2018-15904

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability in A10 ACOS Web Application Firewall (WAF) allows SQL injection attacks to bypass the WAF's protection rules, potentially enabling attackers to execute malicious SQL commands against protected web applications. It affects organizations using vulnerable versions of A10 ACOS WAF to protect their web applications.

💻 Affected Systems

Products:
  • A10 ACOS Web Application Firewall (WAF)
Versions: 2.7.1-2.7.2 before 2.7.2-P12, 4.1.0 before 4.1.0-P11, 4.1.1 before 4.1.1-P8, 4.1.2 before 4.1.2-P4
Operating Systems: Not OS-specific - affects A10 ACOS WAF appliance/software
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all configurations using SQL injection protection rules. The vulnerability is in the rule processing engine itself.

📦 What is this software?

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

Acos Web Application Firewall by A10networks

View all CVEs affecting Acos Web Application Firewall →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers bypass WAF protection and execute arbitrary SQL commands against backend databases, leading to data theft, data manipulation, or complete database compromise.

🟠

Likely Case

SQL injection attacks succeed against web applications that would normally be blocked by the WAF, potentially exposing sensitive data or allowing unauthorized access.

🟢

If Mitigated

With proper patching and additional security controls, the risk is limited to potential bypass attempts that are detected and blocked by other security layers.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection is a well-understood attack vector, and bypassing WAF protection significantly lowers the barrier for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.7.2-P12, 4.1.0-P11, 4.1.1-P8, 4.1.2-P4 or later

Vendor Advisory: https://www.a10networks.com/support/security-advisories/waf-sql-injection-attack-sqlia-vulnerability

Restart Required: Yes

Instructions:

1. Download the appropriate patch from A10 support portal. 2. Apply the patch following A10's upgrade procedures. 3. Restart the WAF service. 4. Verify the patch is applied correctly.

🔧 Temporary Workarounds

Temporary rule adjustment

all

Adjust WAF rules to be more restrictive on SQL patterns while waiting for patch

Configure additional custom rules to block common SQL injection patterns

Network segmentation

all

Restrict access to protected web applications to reduce attack surface

Implement firewall rules to limit source IPs accessing protected applications

🧯 If You Can't Patch

  • Implement additional web application security controls like input validation at the application layer
  • Deploy additional WAF or IPS solutions in front of the vulnerable A10 WAF

🔍 How to Verify

Check if Vulnerable:

Check ACOS version via CLI: 'show version' and compare against affected versions

Check Version:

show version

Verify Fix Applied:

Verify version shows patched version (2.7.2-P12, 4.1.0-P11, 4.1.1-P8, 4.1.2-P4 or later)

📡 Detection & Monitoring

Log Indicators:

  • SQL injection attempts that should have been blocked by WAF but weren't
  • Unusual database access patterns from web applications

Network Indicators:

  • SQL injection payloads in HTTP requests that bypass WAF inspection

SIEM Query:

source="a10_waf" AND (event_type="sql_injection" OR sql_keywords) AND action!="blocked"

📊 Metadata

CVE ID: CVE-2018-15904
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: August 27, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-15904, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)