[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] ESA-2017-099: EMC AppSync SQL Injection Vulnerability

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] ESA-2017-099: EMC AppSync SQL Injection Vulnerability
From: EMC Product Security Response Center <Security_Alert@xxxxxxx>
Date: Wed, 6 Sep 2017 14:10:11 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-099: EMC AppSync SQL Injection Vulnerability

EMC Identifier: ESA-2017-099
CVE Identifier: CVE-2017-8015
Severity Rating: CVSS v3 Base Score: 8.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L)

Affected products:  
EMC AppSync all versions prior to 3.5

Summary:  
EMC AppSync contains a SQL injection vulnerability that could potentially be 
exploited by malicious users to compromise the affected system. 
Details:  

EMC AppSync is affected by a SQL injection vulnerability.  Attackers could 
potentially exploit this vulnerability to access information, modify data or 
disrupt certain services by causing execution of arbitrary SQL commands on the 
application using default Apollo framework user accounts "apollo" and "test". 

Resolution:  
The following EMC AppSync release contains resolution to this vulnerability: 
*       EMC AppSync version 3.5 and later (security patch "AppSync Security 
Update for SQL Injection Vulnerability" is required on top of version 3.5)

As part of mitigation, default Apollo framework user accounts "apollo" and 
"test" have been also removed as they are not used by AppSync application. 

EMC recommends all customers upgrade at the earliest opportunity. 

Link to remedies:

Customers can download AppSync 3.5 software from 
https://support.emc.com/downloads/25364_AppSync
Customers can download the security patch "AppSync Security Update for SQL 
Injection Vulnerability" from https://download.emc.com/downloads/DL86269 


Credit:
EMC would like to thank rgod working with Trend Micro's Zero Day Initiative for 
reporting this vulnerability.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZr//7AAoJEHbcu+fsE81ZIx8IAINfysHyM6BKb8SHjOJHKj/5
xgQ4DMSTE3CCK91Uo4J47G19C3eas5nfMjiHz4/0+laqSqLePOkckK63zMteH7WE
2WNOJXQwRoJtDV0xPt6WlJgkCgvk4o5u+KdYJUG98YJWZBAlU1zuTQ3HgJf3UgKW
2WTvprKLY+jl6QuMu3K5Sr4OlU+Vy0X+uspqaOZ1L+ITf9oHWrPvQnMqjXoniOcO
wtjKOCCxUciXVIowPcX7S8DH9ikZO0mCj2s88HjGu5gI6fEx1VOCne8tssbbKvoB
pvGFtNSbeJ/EcoAyA9SORH9urzS9kxd6891+QiJzgIkqfP1LBJ36XywtRA73sN0=
=E38G
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] EE 4GEE Multiple Security Vulnerabilities Advisory (CSRF/Stored XSS/JSONP)
Next by Date: [FD] SSD Advisory – Oracle Java and Apache Xerces PDF/Docx Server Side DoS
Previous by thread: [FD] EE 4GEE Multiple Security Vulnerabilities Advisory (CSRF/Stored XSS/JSONP)
Next by thread: [FD] SSD Advisory – Oracle Java and Apache Xerces PDF/Docx Server Side DoS
Index(es):
- Date
- Thread