Critical Security Issues of VMware vSphere Data Protection
Action required to remediate
This is a Press Release edited by StorageNewsletter.com on January 8, 2018 at 2:39 pmVMware Security Advisories by VMware, Inc.
vSphere Data Protection (VDP) updates address multiple security issues.
VMware Security Advisory
- Advisory ID: VMSA-2018-0001
- Severity: Critical
- Synopsis: vSphere Data Protection (VDP) updates address multiple security issues.
- Issue date: 2018-01-02
- Updated on: 2018-01-02 (Initial Advisory)
- CVE numbers:nCVE-2017-15548, CVE-2017-15549, CVE-2017-15550
1. Summary
VDP updates address multiple security issues
2. Relevant Products
VDP
3. Problem Description
a. VDP authentication bypass vulnerability
VDP contains an authentication bypass vulnerability.
A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems.
The Common Vulnerabilities and Exposures project has assigned the identifier CVE-2017-15548 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
b. VDP arbitrary file upload vulnerability.
VDP contains a file upload vulnerability. A remote authenticated malicious user with low privileges could potentially upload arbitrary maliciously crafted files in any location on the server file system.
The Common Vulnerabilities and Exposures project has assigned the identifier CVE-2017-15549 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
c. VDP path traversal vulnerability.
VDP contains a path traversal vulnerability. A remote authenticated malicious user with low privileges could access arbitrary files on the server file system in the context of the running vulnerable application.
The Common Vulnerabilities and Exposures project has assigned the identifier CVE-2017-15550 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
4. Solution
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
VDP 6.1.6
Downloads and Documentation
https://my.vmware.com/group/vmware/details?productId=491&downloadGroup=VDP616
https://www.vmware.com/support/pubs/vdr_pubs.html
VDP 6.0.7
Downloads and Documentation:
https://my.vmware.com/group/vmware/details?productId=491&downloadGroup=VDP60_7
https://www.vmware.com/support/pubs/vdr_pubs.html
5. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15548
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15549
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15550
6. Change log
2018-01-02 VMSA-2018-0001
Initial security advisory in conjunction with the release of VMware vSphere Data Protection 6.1.6 and 6.0.7 on 2018-01-02.
7. Contact
E-mail list for product security notifications and announcements
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security@vmware.com
PGP key
VMware Security Response Policy
VMware Lifecycle Support Phases
Subscribe to our free daily newsletter
