CVE-2022-46898
📋 TL;DR
This vulnerability allows attackers to perform path traversal attacks via the 'restore SQL data' filename in Vocera Report Server and Voice Server. By exploiting improper filename sanitization, attackers can escape the intended restoration directory and execute arbitrary SQL commands against the database. Organizations using affected Vocera products are at risk.
💻 Affected Systems
- Vocera Report Server
- Vocera Voice Server
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the database leading to data theft, data manipulation, or full system takeover via SQL injection.
Likely Case
Unauthorized database access allowing data exfiltration or modification of critical healthcare information.
If Mitigated
Limited impact with proper network segmentation and access controls preventing exploitation attempts.
🎯 Exploit Status
Exploitation requires access to the restoration function but path traversal payloads are well-documented.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 5.9 or later
Vendor Advisory: https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html
Restart Required: Yes
Instructions:
1. Download Vocera Report Server/Voice Server version 5.9 or later from Stryker. 2. Backup current configuration and data. 3. Install the updated version following vendor documentation. 4. Restart services to apply changes.
🔧 Temporary Workarounds
Disable Database Restoration Function
allTemporarily disable the websocket function that allows database restoration until patching is complete.
Consult Vocera documentation for specific service/function disablement procedures
Network Access Restrictions
allRestrict network access to the Vocera Report Console to only authorized administrative systems.
Configure firewall rules to limit access to specific IP addresses
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Vocera servers from other critical systems
- Enable detailed logging and monitoring for any database restoration attempts
🔍 How to Verify
Check if Vulnerable:
Check current version in Vocera administration interface. If version is 5.8 or earlier, system is vulnerable.Check Version:
Check via Vocera web administration interface or consult system documentationVerify Fix Applied:
Verify version is 5.9 or later in administration interface and test restoration function with controlled inputs.📡 Detection & Monitoring
Log Indicators:
- Unusual database restoration attempts
- Websocket connections with path traversal patterns in filenames
- SQL errors from unexpected file paths
Network Indicators:
- Websocket traffic to restoration endpoints with unusual payloads
- Database connections from Vocera server with unexpected queries
SIEM Query:
source="vocera_logs" AND (event="database_restoration" OR event="websocket_connection") AND (filename="*../*" OR filename="*..\\*")🔗 References
- https://www.stryker.com/us/en/about/governance/cyber-security/product-security/
- https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html
- https://www.stryker.com/us/en/about/governance/cyber-security/product-security/
- https://www.stryker.com/us/en/about/governance/cyber-security/product-security/vocera-report-server-vulnerabilities--cve-2022-46898--cve-2022-4.html
