-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities 

EMC Identifier: ESA-2015-004

CVE Identifier: CVE-2015-0513, CVE-2015-0514, CVE-2015-0515, CVE-2015-0516, CVE-2014-4288, CVE-2014-6456, CVE-2014-6457, CVE-2014-6458, CVE-2014-6466, CVE-2014-6468, CVE-2014-6476, CVE-2014-6485, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6504, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6513, CVE-2014-6515, CVE-2014-6517, CVE-2014-6519, CVE-2014-6527, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558, CVE-2014-6562, CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296, CVE-2014-3618

Severity Rating: CVSS v2 Base Score:  View details below for individual CVSS score for each CVE

Affected products:  
•  EMC M&R (Watch4Net) versions prior 6.5u1
•  EMC ViPR SRM versions prior to 3.6.1

Summary:
EMC M&R (Watch4Net) is vulnerable to multiple security vulnerabilities that could be potentially exploited by malicious users to compromise the affected system. EMC ViPR SRM is built on EMC M&R platform and is also affected by these vulnerabilities. 

Details:
The vulnerabilities include:
•  Multiple Oracle Java Runtime Environment (JRE) Vulnerabilities
CVE Identifiers: CVE-2014-4288, CVE-2014-6456, CVE-2014-6457, CVE-2014-6458, CVE-2014-6466, CVE-2014-6468, CVE-2014-6476, CVE-2014-6485, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6504, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6513, CVE-2014-6515, CVE-2014-6517, CVE-2014-6519, CVE-2014-6527, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558, CVE-2014-6562. 

Oracle JRE contains multiple security vulnerabilities. Oracle JRE has been upgraded to 8.0u25 to address these vulnerabilities. See vendor advisory (http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixJAVA) for more details.  
CVSS v2 Base Score: Please refer to http://nvd.nist.gov/ for the individual CVSS scores for each CVE listed above.

•  Multiple Cross-Site Scripting Vulnerabilities
CVE Identifier:  CVE-2015-0513
Several user-supplied fields in the administrative user interface may be potentially exploited by an authenticated privileged malicious user to conduct cross-site-scripting attacks on other authenticated users of the system.  
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

•  Insecure Cryptographic Storage Vulnerability 
CVE Identifier:  CVE-2015-0514
A malicious non-ViPR SRM user with access to an installation of ViPR SRM and knowledge of internal encryption methods could potentially decrypt credentials used for data center discovery.
CVSS v2 Base Score: 5.7 (AV:A/AC:M/Au:N/C:C/I:N/A:N)

•  Unrestricted File Upload Vulnerability 
CVE Identifier:  CVE-2015-0515
This vulnerability may potentially be exploited by an authenticated, privileged malicious user to upload arbitrary files into the file system via the web interface.
CVSS v2 Base Score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)

•  Path Traversal Vulnerability
CVE Identifier: CVE-2015-0516
This vulnerability may potentially be exploited by an authenticated, privileged malicious user to download arbitrary files from the file system via the web interface by manipulating the directory structure in the URL.
CVSS v2 Base Score: 6.8 (AV:N/AC:L/Au:S/C:C/I:N/A:N)

•  SUSE Procmail Heap Overflow Vulnerability  
CVE Identifier: CVE-2014-3618
Procmail was updated to fix a heap-overflow in procmail's formail utility when processing specially-crafted email headers.  This issue affects only vApp deployments of the affected software.  
CVSS v2 Base Score: Please refer to http://nvd.nist.gov/ for the CVSS score.

•  NTP Multiple Vulnerabilities 
CVE Identifier: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296
NTP was updated to fix multiple vulnerabilities.  See vendor advisory http://support.ntp.org/bin/view/Main/SecurityNotice for more details.  These issues affect only vApp deployments of the affected software.  
CVSS v2 Base Score: Please refer to http://nvd.nist.gov/ for the CVSS scores.


Resolution:
The following version contains the resolution to these issues:
•  EMC M&R (Watch4Net) 6.5u1 and later
•  EMC ViPR SRM 3.6.1 and later

EMC strongly recommends all customers upgrade at the earliest opportunity. In addition, customers are recommended to review the Security Configuration Guide distributed with the product for specific instructions on secure configurations of the system.

Link to remedies:
Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM  
 
Credits:
EMC would like to thank Han Sahin of Securify B.V. (han.sahin@securify.nl) for reporting CVE-2015-0513 and CVE-2015-0514.  


EMC Product Security Response Center
security_alert@emc.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAlS+cwIACgkQtjd2rKp+ALwgrQCfd0XochnaIrLbek4U/Nt5xGHG
PIAAn0inLvHDbgu5c5hZCsWC48CcJVN/
=zSNS
-----END PGP SIGNATURE-----