A huge collection of 3400+ free website templates JAR theme com WP themes and more at the biggest community-driven free web design site
Home / security-advisories / Vmware Vsphere Data Protection (VDP) Vulnerability

Vmware Vsphere Data Protection (VDP) Vulnerability

Date of First Release: 10-01-2018

Source: VMware

Product affected:

vSphere Data Protection (VDP) running on the virtual machines Version 6.1.x, 6.0.x and 5.x 

Overview:

VSphere Data Protection (VDP) contains multiple authentication bypass, arbitrary file upload and path traversal vulnerabilities.

Description:

VMware has release security advisory to address three critical vulnerabilities in vSphere Data Protection (VDP). The vulnerabilities contains multiple authentication bypass, arbitrary file upload and path traversal and it affects VDP version 5.x, 6.0.x and 6.1.x.

The authentication bypass vulnerability can allow an unauthenticated malicious user to remotely bypass authentication and gain root access to the affected system,  arbitrary file upload vulnerability can allow a malicious user with access to a low-privileged account to upload malicious files to any location on the server file system and the path traversal vulnerability can allow a malicious user with low privileges to access arbitrary files on the server in the context of the vulnerable application.

Impact:

The exploitation of the aforementioned vulnerabilities could allow a malicious user to take control of the affected system. 

Solution:

User and administrator are advised to review released notes and install recommended patches:

  • VDP version 6.1.x users should replace with or apply patch VDP version 6.1.6;
  • VDP version 6.0.x users should replace with or apply patch VDP version 6.0.7;
  • VDP version 5.x users should replace with or apply patch VDP version 6.0.7.

References

  1. https://www.vmware.com/security/advisories/VMSA-2018-0001.html
  2. http://www.securityweek.com/vmware-patches-critical-flaws-vsphere-data-protection
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15548
  3. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15549
  4. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15550

Check Also

SQL Injection in Bamboo Data Center and Server (CVE-2024-1597)

Advisory No: TZCERT/SA/2024/03/21-02 Date of First Release: 21st March 2024 Source: Atlassian Software Affected: Bamboo …