vSphere Data Protection (VDP) updates address multiple security issues
a. VDP authentication bypass vulnerability.
VDP contains an authentication bypass vulnerability.
A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-15548 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
b. VDP arbitrary file upload vulnerability.
VDP contains a file upload vulnerability. A remote authenticated malicious user with low privileges could potentially upload arbitrary maliciously crafted files in any location on the server file system.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-15549 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
c. VDP path traversal vulnerability.
VDP contains a path traversal vulnerability. A remote authenticated malicious user with low privileges could access arbitrary files on the server file system in the context of the running vulnerable application.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2017-15550 to this issue.
Column 5 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.
4. Solution
Please review the patch/release notes for your product and version and verify the checksum of your downloaded file.
vSphere Data Protection (VDP) 6.1.6
Downloads and Documentation:
https://my.vmware.com/group/vmware/details?productId=491&downloadGroup=VDP616
https://www.vmware.com/support/pubs/vdr_pubs.html
vSphere Data Protection (VDP) 6.0.7
Downloads and Documentation:
https://my.vmware.com/group/vmware/details?productId=491&downloadGroup=VDP60_7
https://www.vmware.com/support/pubs/vdr_pubs.html
6. Change log
2018-01-02 VMSA-2018-0001
Initial security advisory in conjunction with the release of VMware vSphere Data Protection 6.1.6 and 6.0.7 on 2018-01-02.
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
security-announce@lists.vmware.com
bugtraq@securityfocus.com
fulldisclosure@seclists.org
E-mail: security@vmware.com
PGP key at:
VMware Security Advisories
http://www.vmware.com/security/advisories
VMware Security Response Policy
https://www.vmware.com/support/policies/security_response.html
VMware Lifecycle Support Phases
https://www.vmware.com/support/policies/lifecycle.html
VMware Security & Compliance Blog
https://blogs.vmware.com/security
Copyright 2018 VMware Inc. All rights reserved.