Date of First Release: 10-01-2018
vSphere Data Protection (VDP) running on the virtual machines Version 6.1.x, 6.0.x and 5.x
VSphere Data Protection (VDP) contains multiple authentication bypass, arbitrary file upload and path traversal vulnerabilities.
VMware has release security advisory to address three critical vulnerabilities in vSphere Data Protection (VDP). The vulnerabilities contains multiple authentication bypass, arbitrary file upload and path traversal and it affects VDP version 5.x, 6.0.x and 6.1.x.
The authentication bypass vulnerability can allow an unauthenticated malicious user to remotely bypass authentication and gain root access to the affected system, arbitrary file upload vulnerability can allow a malicious user with access to a low-privileged account to upload malicious files to any location on the server file system and the path traversal vulnerability can allow a malicious user with low privileges to access arbitrary files on the server in the context of the vulnerable application.
The exploitation of the aforementioned vulnerabilities could allow a malicious user to take control of the affected system.
User and administrator are advised to review released notes and install recommended patches:
- VDP version 6.1.x users should replace with or apply patch VDP version 6.1.6;
- VDP version 6.0.x users should replace with or apply patch VDP version 6.0.7;
- VDP version 5.x users should replace with or apply patch VDP version 6.0.7.