[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] ESA-2017-075: EMC Data Protection Advisor Multiple Vulnerabilities

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] ESA-2017-075: EMC Data Protection Advisor Multiple Vulnerabilities
From: EMC Product Security Response Center <Security_Alert@xxxxxxx>
Date: Thu, 6 Jul 2017 15:06:05 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


ESA-2017-075: EMC Data Protection Advisor Multiple Vulnerabilities

EMC Identifier  ESA-2017-075 

CVE Identifier  CVE-2017-8002, CVE-2017-8003  

Severity:  Medium  

Severity Rating: CVSS Base Score  View details below for individual CVSS Score 
for each CVE  

Affected products: 
EMC Data Protection Advisor versions prior to 6.4
 
Summary: 
A software update to EMC Data Protection Advisor contains fixes for multiple 
security vulnerabilities that could potentially be exploited by malicious users 
to compromise the affected system.

Details    
Multiple Blind SQL Injection Vulnerabilities (CVE-2017-8002)
  
EMC Data Protection Advisor contains multiple blind SQL injection 
vulnerabilities. A remote authenticated attacker may potentially exploit these 
vulnerabilities to gain information about the application by causing execution 
of arbitrary SQL commands.
 
CVSSv3.0 Base Score 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)


Path Traversal Vulnerability (CVE-2017-8003)
  
EMC Data Protection Advisor contains a path traversal vulnerability. A remote 
authenticated high privileged user may potentially exploit this vulnerability 
to access unauthorized information from the underlying OS server by supplying 
specially crafted strings in input parameters of the application.
 
CVSSv3.0 Base Score: 6.8 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N) 


Resolution:
The following EMC Data Protection Advisor release contains resolutions to these 
vulnerabilities: 

EMC Data Protection Advisor version 6.4
  
EMC recommends all customers upgrade at the earliest opportunity.  

Link To Remedies:
Registered EMC Online Support customers can download the required patch from 
support.emc.com at https://support.emc.com/downloads/829_Data-Protection-Advisor
If you have any questions, contact DELL EMC Support. 


Credits:
DELL EMC would like to thank rgod working with Trend Micro's Zero Day 
Initiative for reporting these vulnerabilities. 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZXkz+AAoJEHbcu+fsE81ZvNEH/0YKEHJ4qAoXc9ZrZOMvDbqE
Di79jtHeikuinWA+E6lyUd+0dblVwEdScEf4NHTBRtLLXxj53LAkey1CUt3hpNoG
oUWghsLKw/YUeXvjn2EDmv85OPKsxGOWNw0HedAt5MqSuJhkOroHTK13FwR+y9sE
XeClCnX86n89e6V0Ac4/ivBmBUUvSDcy5DBkrHBYIbArSjnYzeBFTiKN7YFQjIZz
LJ2nKiUNOeIgI/ziBz4zXoEJXSvP4g5vtwW3Za6NrFZLkIw5KTgLJdRRumh+fJ1N
bU3pa1b/DtxoIvsvUXZ+CBhtt1mEbkO9OyleJtJeIrGDf3E1D1L4lO+l8qWResw=
=D6YP
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] SSD Advisory – EMC IsilonSD Edge Command Injection
Next by Date: [FD] ESA-2017-011: EMC ESRS Policy Manager Undocumented Account Vulnerability
Previous by thread: [FD] SSD Advisory – EMC IsilonSD Edge Command Injection
Next by thread: [FD] ESA-2017-011: EMC ESRS Policy Manager Undocumented Account Vulnerability
Index(es):
- Date
- Thread