Twenty Year Anniversary

EMC ViPR SRM for SAS Directory Traversal / Denial Of Service

EMC ViPR SRM for SAS Directory Traversal / Denial Of Service
Posted Sep 20, 2017
Authored by rgod | Site emc.com

EMC ViPR SRM, EMC Storage M and R, EMC VNX M and R, EMC M and R (Watch4Net) for SAS Solution Packs contain directory traversal and denial of service vulnerabilities.

tags | advisory, denial of service, vulnerability
advisories | CVE-2017-8007, CVE-2017-8012
MD5 | 318038a7ee6e2b7855e77004110ff700

EMC ViPR SRM for SAS Directory Traversal / Denial Of Service

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-081: EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R (Watch4Net) for SAS Solution Packs Multiple Vulnerabilities

EMC Identifier: ESA-2017-081
CVE Identifier: CVE-2017-8007, CVE-2017-8012
Severity Rating: CVSS Base Score: See below for individual scores.

Affected products:
* EMC ViPR SRM all versions
* EMC Storage M&R all versions
* EMC VNX M&R all versions
* EMC M&R (Watch4Net) for SAS Solution Packs all versions

Summary:
EMC ViPR SRM, EMC Storage M&R, EMC VNX M&R, EMC M&R (Watch4Net) for SAS Solution Packs contain multiple vulnerabilities that could potentially be exploited by malicious users to compromise the affected system.

Details:
* Directory Traversal Vulnerability (CVE-2017-8007)
Webservice Gateway used in these products is affected by a directory traversal vulnerability. Attackers with knowledge of Webservice Gateway credentials could potentially exploit this vulnerability to access unauthorized information, and modify or delete data by supplying specially crafted strings in input parameters of the web service call.

CVSSv3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

* JMX Denial of Service Vulnerability (CVE-2017-8012)
The Java Management Extensions (JMX) protocol used to communicate between components in the Alerting and/or Compliance components in these products can be leveraged to create a denial of service (DoS) condition. Attackers with knowledge of JMX agent user credentials could potentially exploit this vulnerability to create arbitrary files on the affected system and create a DoS condition by leveraging inherent JMX protocol capabilities.

CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Resolution:

Mitigation information for CVE-2017-8007:
* EMC ViPR SRM customers: Upgrade to EMC ViPR SRM version 4.1
* EMC Storage M&R customers: Upgrade to EMC Storage M&R version 4.1
* EMC M&R (Watch4Net) for SAS Solution Packs customers: Apply EMC M&R 6.7.x fix for Directory Traversal Vulnerability Update Package
* EMC VNX M&R customers: Migrate to EMC Storage M&R version 4.1
* All customers are strongly advised to change any default WebService Gateway credentials. Please see ESA-2017-089 for more details on how to change the credentials.
* Customers are strongly advised to review product documentation and use firewall controls to limit access to WebService Gateway and all other internal ports only to those servers that require access to them.
o For vApp installations, please review Knowledge Base article 503844 (https://support.emc.com/kb/503844) for guidance on making firewall changes within the vApp.

Mitigation information for CVE-2017-8012 for all customers:
* Change any default JMX agent credentials. Please see ESA-2017-089 for more details on how to change the credentials.
* Review product documentation and use firewall controls to limit access to the JMX ports and all other internal ports only to those servers that require access to them.
o For vApp installations, please review Knowledge Base article 503844 (https://support.emc.com/kb/503844) for guidance on making firewall changes within the vApp.
* Future releases will contain further measures to remove or harden communication via the JMX protocol. EMC VNX M&R customers must migrate to EMC Storage M&R version 4.1 or later to receive future security fixes.

Link to remedies:

* For EMC ViPR SRM and EMC Storage M&R, registered EMC Online Support customers can download patches and software from support.emc.com at: https://support.emc.com/downloads/34247_ViPR-SRM.

* For EMC M&R (Watch4Net) for SAS Solution Packs, registered EMC Online Support customers can download patches and software from support.emc.com at:
https://support.emc.com/downloads/6175_Smarts-Service-Assurance-Manager

* For VNX M&R, registered EMC Online Support customers can follow the mitigation steps described above.


Credits:
EMC would like to thank rgod working with Trend Micro's Zero Day Initiative for reporting these vulnerabilities.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZwl9WAAoJEHbcu+fsE81ZLegH+wU8RTmKZt33ThZsOJcGekEJ
CuD+v/JawNGDxK6nheFPreMa/IQRTTskGeVmbqypcV6Gh5pfx711OYzMnXBsufqH
LNNywQ6q1hsM5LPYkZ1hu9bHcotM5Uvd80Lpsld1xU3TGbU+ruULPK2WY1QHcIyL
IvU43HW803SCTS5lNaL+OKX3Coa+UUW1t7psJ0mVdCC3U19Qh+RrZPSnyHBThe5Z
Btho0WoKauY+jqO6RxML+BT8D02Dn/+kjnlWyaca0QTXu8k0oEBqLI+vnO+KJCKY
HxkxI1uvWsWy+z7x3MdsatFCl9ksMpXsWBoPR4EgZGbebDX38R9+ww/ryWQDPQ8=
=jk2j
-----END PGP SIGNATURE-----


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

June 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    14 Files
  • 2
    Jun 2nd
    1 Files
  • 3
    Jun 3rd
    3 Files
  • 4
    Jun 4th
    18 Files
  • 5
    Jun 5th
    21 Files
  • 6
    Jun 6th
    8 Files
  • 7
    Jun 7th
    16 Files
  • 8
    Jun 8th
    18 Files
  • 9
    Jun 9th
    5 Files
  • 10
    Jun 10th
    2 Files
  • 11
    Jun 11th
    21 Files
  • 12
    Jun 12th
    32 Files
  • 13
    Jun 13th
    15 Files
  • 14
    Jun 14th
    16 Files
  • 15
    Jun 15th
    4 Files
  • 16
    Jun 16th
    1 Files
  • 17
    Jun 17th
    2 Files
  • 18
    Jun 18th
    15 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    15 Files
  • 21
    Jun 21st
    15 Files
  • 22
    Jun 22nd
    7 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close