[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

VCE3570: VCE Vision(TM) Intelligent Operations Cryptographic and Cleartext Vulnerabilities

To: "'bugtraq@xxxxxxxxxxxxxxxxx'" <'bugtraq@xxxxxxxxxxxxxxxxx'>, "'dm@xxxxxxxxxxxxxxxxx'" <'dm@xxxxxxxxxxxxxxxxx'>
Subject: VCE3570: VCE Vision(TM) Intelligent Operations Cryptographic and Cleartext Vulnerabilities
From: VCE - PSIRT <VCEPSIRT@xxxxxxx>
Date: Wed, 17 Jun 2015 08:23:52 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


VCE3570: VCE Vision(TM) Intelligent Operations Cryptographic and Cleartext 
Vulnerabilities

CVE Identifier:  CVE-2015-4056, CVE-2015-4057

Severity Rating: CVSSv2 Base Score: See below for individual scores for each CVE

Affected products:  
        VCE Vision Intelligent Operations prior to 2.6.5

Summary:  
        VCE Vision(TM) software versions prior to 2.6.5 have been identified to 
contain security vulnerabilities that may potentially be leveraged by a 
malicious user to obtain sensitive information

Details:
        Weak Cryptographic Scheme (CVE-2015-4056) 
        Weak cryptographic scheme in the VCE Vision(TM) System Library that can 
result in access to sensitive information by an authenticated administrative 
user
        Exploitation requires that an attacker login as root to a VCE Vision 
System Library virtual machine where the potential exists for sensitive system 
credential information in several VCE Vision application configuration files to 
be accessed in an unauthorized manner.

        CVSS v2 Base Score: 6.6 (AV:L/AC:M/Au:N/C:C/I:C/A:P)

        
        Cleartext Transmission (CVE-2015-4057)
        Cleartext transmission issue in the VCE Vision(TM) Plug-in for VMware 
vCenter for VCE Vision software that could be exploited by attackers to obtain 
password information
        The VCE Vision admin user password is reflected in cleartext when the 
user loads the Settings screen of the VCE Vision Plug-in for VMware vCenter via 
a web browser.

        CVSS v2 Base Score: 5.4 (AV:A/AC:M/Au:N/C:P/I:P/A:P)

Resolution: 
        These vulnerabilities are fixed in VCE Vision software 2.6.5 and above. 
Customers should upgrade to VCE Vision software 2.6.5 at their earliest 
opportunity.

Link to remedies:
        VCE Vision software version 2.6.5 can be located within the VCE(TM) 
Download Center by logging into http://support.vce.com > VCE Download Center > 
VCE Software and VCE Software Documentation for VCE Converged Infrastructure 
Systems>Respective Vblock VCE Software Addendum
        You can find the VCE Vision software version 2.6.5 upgrade guide in the 
VCE Download Center by logging into http://support.vce.com > VCE Download 
Center > respective Vblock System model >VBXXX VCE Software Documentation>VCE 
Vision Intelligent Operations Documentation for Vblock System XXX
        If you have any questions, contact VCE(TM) Support.

Read and use the information in this VCE Security Advisory to assist in 
avoiding any situation that might arise from the problems described herein. If 
you have any questions regarding this product alert, contact VCE Technical 
Support.
VCE recommends all customers take into account both the base score and any 
relevant temporal and environmental scores which may impact the potential 
severity associated with particular security vulnerability.

VCE Company, LLC distributes VCE Security Advisories, in order to bring to the 
attention of users of the affected VCE products, important security 
information. VCE recommends that all users determine the applicability of this 
information to their individual situations and take appropriate action. The 
information set forth herein is provided "as is" without warranty of any kind. 
VCE disclaims all warranties, either express or implied, including the 
warranties of merchantability, fitness for a particular purpose, title and 
non-infringement. In no event, shall VCE or its suppliers, be liable for any 
damages whatsoever including direct, indirect, incidental, consequential, loss 
of business profits or special damages, even if VCE or its suppliers have been 
advised of the possibility of such damages. Some states do not allow the 
exclusion or limitation of liability for consequential or incidental damages, 
so the foregoing limitation may not apply.

VCE Product Security Incident Response Team
vcepsirt () vce com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVgO5aAAoJEFsFEWrxf5544rgQAM0RYTqP7KI8rfVGuArJXBwc
yEbEgv0Fc7rv8k1LWAIxRni1S+5mZtiIw+RXQUbsy7s3uh4ro1Wmp+XwbutTHQpb
Cp2Nd0REkVm24hpyEGlcGvhicnEsKj27gqNUkYi8h/mCK4pqEU3wfw4SbfKF4bpv
Nn85xwxDmC2TwJHJGGbRwPcx1pgAWO7sYHSpO0JAvKlf2Yrvw5FS2tzLEdJ/Te6K
nJ4of77v+7CvnmJ7peskvgOdnIEmLUT6nZwi0TcIT/htm5N29qIfdq8kafEwMSmU
jrpqWI6XEQtPm6F6jm/5CvT4rJm8Uaa9jcCA9t+XSF0116Ovkj3AiWNmegK21Cfa
VWTYn7a/eV1+BTItr+yXISa8oqQMhAM7E25ALxHvXYCeG1xzxUNFjeJ/zh80JN+G
UoZBPn4tUK6cVZuKcECW4blXirP73R8+H/xQFkKqRI5COgKgW0urJAW9WEgufyax
CjTR3eQjtfztmiQYmUXSp6EdK/cRi6tFWUTZFRvqvWJ+3+28TeNs8+nyWBFF+Jro
IWtFx+npyOnCP+jTsFHu4vaOuq6DOusu9kaf+WQk/R7O6BqosTCbL3Xnie8OeM8T
56Nq6NNtmXa2gVNceDcAfACD1kkzxviaZWBvMERMvUp+ELBGRxgwVkPiCKWMmoUW
mJBCpzsvzdVN8ZWKcWXE
=oRil
-----END PGP SIGNATURE-----

Prev by Date: Reflected Cross-Site Scripting (XSS) in SearchBlox
Next by Date: [security bulletin] HPSBGN03350 rev.1 - HP SiteScope Using RC4, Remote Disclosure of Information
Previous by thread: Reflected Cross-Site Scripting (XSS) in SearchBlox
Next by thread: [security bulletin] HPSBGN03350 rev.1 - HP SiteScope Using RC4, Remote Disclosure of Information
Index(es):
- Date
- Thread