Executive Summary

Summary
TitlevSphere Data Protection (VDP) updates address multiple security issues.
Informations
NameVMSA-2018-0029First vendor Publication2018-11-20
VendorVMwareLast vendor Modification2018-11-20
Severity (Vendor) N/ARevisionN/A

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base ScoreN/AAttack RangeN/A
Cvss Impact ScoreN/AAttack ComplexityN/A
Cvss Expoit ScoreN/AAuthenticationN/A
Calculate full CVSS 2.0 Vectors scores

Detail

a. Remote code execution vulnerability.

VDP contains a remote code execution vulnerability. A remote

unauthenticated attacker could potentially exploit this

vulnerability to execute arbitrary commands on the server.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has

assigned the identifier CVE-2018-11066 to this issue.

Column 5 of the following table lists the action required to

remediate the vulnerability in each release, if a solution is

available.

b. Open redirection vulnerability.

VDP contains an open redirection vulnerability. A remote unauthenticated

attacker could potentially exploit this vulnerability to redirect

application users to arbitrary web URLs by tricking the victim users to

click on maliciously crafted links. The vulnerability could be used to

conduct phishing attacks that cause users to unknowingly visit malicious

sites.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has

assigned the identifier CVE-2018-11067 to this issue.

Column 5 of the following table lists the action required to

remediate the vulnerability in each release, if a solution is

available.

c. Information exposure vulnerability.

VDP contains an information exposure vulnerability. VDP Java

management console's SSL/TLS private key may be leaked in the VDP

Java management client package. The private key could potentially be

used by an unauthenticated attacker on the same data-link layer to

initiate a MITM attack on management console users.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has

assigned the identifier CVE-2018-11076 to this issue.

Column 5 of the following table lists the action required to

remediate the vulnerability in each release, if a solution is

available.

d. Command injection vulnerability.

The 'getlogs' troubleshooting utility in VDP contains an OS command

injection vulnerability. A malicious admin user may potentially be able

to execute arbitrary commands under root privilege.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has

assigned the identifier CVE-2018-11077 to this issue.

Column 5 of the following table lists the action required to

remediate the vulnerability in each release, if a solution is

available.

Original Source

Url : http://www.vmware.com/security/advisories/VMSA-2018-0029.html

Nessus® Vulnerability Scanner

DateDescription
2018-11-30Name : A backup solution running on the remote host is affected by multiple vulnerab...
File : emc_avamar_dsa-2018-145.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
DateInformations
2018-11-27 21:22:51
  • Multiple Updates
2018-11-20 21:18:13
  • First insertion