[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] ESA-2017-081: EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R (Watch4Net) for SAS Solution Packs Multiple Vulnerabilities

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] ESA-2017-081: EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R (Watch4Net) for SAS Solution Packs Multiple Vulnerabilities
From: EMC Product Security Response Center <Security_Alert@xxxxxxx>
Date: Wed, 20 Sep 2017 12:39:03 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-081:  EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R (Watch4Net) 
for SAS Solution Packs Multiple Vulnerabilities 

EMC Identifier: ESA-2017-081
CVE Identifier: CVE-2017-8007, CVE-2017-8012    
Severity Rating: CVSS Base Score:  See below for individual scores. 

Affected products:  
*       EMC ViPR SRM all versions 
*       EMC Storage M&R all versions 
*       EMC VNX M&R all versions
*       EMC M&R (Watch4Net) for SAS Solution Packs all versions

Summary:  
EMC ViPR  SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R (Watch4Net) for SAS 
Solution Packs  contain multiple vulnerabilities that could potentially be 
exploited by malicious users to compromise the affected system. 

Details:  
*       Directory Traversal Vulnerability (CVE-2017-8007) 
Webservice Gateway used in these products is affected by a directory traversal 
vulnerability. Attackers with knowledge of Webservice Gateway credentials could 
potentially exploit this vulnerability to access unauthorized information, and 
modify or delete data by supplying specially crafted strings in input 
parameters of the web service call. 

CVSSv3 Base Score:  8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

*       JMX Denial of Service Vulnerability (CVE-2017-8012)
The Java Management Extensions (JMX) protocol used to communicate between 
components in the Alerting and/or Compliance components in these products can 
be leveraged to create a denial of service (DoS) condition. Attackers with 
knowledge of JMX  agent user credentials could potentially exploit this 
vulnerability to create arbitrary files on the affected system and create a DoS 
condition by leveraging inherent JMX protocol capabilities. 

CVSSv3 Base Score:  7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Resolution:  

Mitigation information for CVE-2017-8007:
*       EMC ViPR SRM customers: Upgrade to EMC ViPR SRM version 4.1
*       EMC Storage M&R customers: Upgrade to EMC Storage M&R version 4.1 
*       EMC M&R (Watch4Net) for SAS Solution Packs customers: Apply EMC M&R 
6.7.x fix for Directory Traversal Vulnerability Update Package
*       EMC VNX M&R customers:  Migrate to EMC Storage M&R version 4.1 
*       All customers are strongly advised to change any default WebService 
Gateway credentials.  Please see ESA-2017-089 for more details on how to change 
the credentials.
*       Customers are strongly advised to review product documentation and use 
firewall controls to limit access to WebService Gateway and all other internal 
ports only to those servers that require access to them.
o       For vApp installations, please review Knowledge Base article 503844 
(https://support.emc.com/kb/503844) for guidance on making firewall changes 
within the vApp.

Mitigation information for CVE-2017-8012 for all customers:
*       Change any default JMX agent credentials. Please see ESA-2017-089 for 
more details on how to change the credentials.
*       Review product documentation and use firewall controls to limit access 
to the JMX ports and all other internal ports only to those servers that 
require access to them.
o       For vApp installations, please review Knowledge Base article 503844 
(https://support.emc.com/kb/503844) for guidance on making firewall changes 
within the vApp.
*       Future releases will contain further measures to remove or harden 
communication via the JMX protocol. EMC VNX M&R customers must migrate to EMC 
Storage M&R version 4.1 or later to receive future security fixes.  

Link to remedies:

*       For EMC ViPR SRM and EMC Storage M&R, registered EMC Online Support 
customers can download patches and software from support.emc.com at: 
https://support.emc.com/downloads/34247_ViPR-SRM.

*       For EMC M&R (Watch4Net) for SAS Solution Packs, registered EMC Online 
Support customers can download patches and software from support.emc.com at:
https://support.emc.com/downloads/6175_Smarts-Service-Assurance-Manager

*       For VNX M&R, registered EMC Online Support customers can follow the 
mitigation steps described above.


Credits: 
EMC would like to thank rgod working with Trend Micro's Zero Day Initiative for 
reporting these vulnerabilities.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZwl9WAAoJEHbcu+fsE81ZLegH+wU8RTmKZt33ThZsOJcGekEJ
CuD+v/JawNGDxK6nheFPreMa/IQRTTskGeVmbqypcV6Gh5pfx711OYzMnXBsufqH
LNNywQ6q1hsM5LPYkZ1hu9bHcotM5Uvd80Lpsld1xU3TGbU+ruULPK2WY1QHcIyL
IvU43HW803SCTS5lNaL+OKX3Coa+UUW1t7psJ0mVdCC3U19Qh+RrZPSnyHBThe5Z
Btho0WoKauY+jqO6RxML+BT8D02Dn/+kjnlWyaca0QTXu8k0oEBqLI+vnO+KJCKY
HxkxI1uvWsWy+z7x3MdsatFCl9ksMpXsWBoPR4EgZGbebDX38R9+ww/ryWQDPQ8=
=jk2j
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] APPLE-SA-2017-09-20-3 tvOS 11
Next by Date: [FD] CSNC-2017-023: Buffer Overflow in Mongoose MQTT Broker
Previous by thread: [FD] APPLE-SA-2017-09-20-3 tvOS 11
Next by thread: [FD] CSNC-2017-023: Buffer Overflow in Mongoose MQTT Broker
Index(es):
- Date
- Thread