-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 DSA-2018-024: Dell EMC VMAX Virtual Appliance (vApp) Manager Multiple Vulnerabilities Dell EMC Identifier: DSA-2018-024 CVE Identifier: CVE-2018-1215, CVE-2018-1216 Severity Rating: CVSS Base Score: See below for each CVE. Affected products: Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18 Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21 Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514 Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 (Enginuity Release 5977.1125.1125 and earlier) Summary: The vApp Manager which is embedded in Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement) contains multiple security vulnerabilities that may potentially be exploited by malicious users to compromise the affected system. Details: CVE-2018-1215 Arbitrary file upload vulnerability A remote authenticated malicious user may potentially upload arbitrary maliciously crafted files in any location on the web server. By chaining this vulnerability with CVE-2018-1216, the attacker may use the default account to exploit this vulnerability. CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVE-2018-1216 Hard-coded password vulnerability The vApp Manager contains an undocumented default account (OsmcO) with a hard-coded password that may be used with certain web servlets. A remote attacker with the knowledge of the hard-coded password and the message format may use vulnerable servlets to gain unauthorized access to the system. Note: This account cannot be used to log in via the web user interface. CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Resolution: The following VMAX products contain address these vulnerabilities: ESX Server Installs: Dell EMC Unisphere for VMAX Virtual Appliance 8.4.0.18 OVA hotfix 1090, service alert 1059 Dell EMC Unisphere for VMAX Virtual Appliance 8.4.0.18 ISO upgrade hotfix 1089, service alert 1058 Dell EMC Solutions Enabler Virtual Appliance 8.4.0.21 OVA hotfix 2058, service alert 1891 Dell EMC Solutions Enabler Virtual Appliance 8.4.0.21 ISO upgrade hotfix 2057, service alert 1890 Dell EMC VASA Virtual Appliance 8.4.0.516 OVA Dell EMC VASA Virtual Appliance 8.4.0.516 ISO upgrade eManagement: eMGMT 1.4.0.355 (Service Pack 6848) Dell EMC recommends all customers upgrade at the earliest opportunity. Note: The default account OsmcO has been removed for all fresh installations of versions of the products that contain the fixes. The account cannot be removed from the user database for upgrade situations, however all servlets that use this account have been removed from the application making the account obsolete. Link To Remedies: Customers can download software for Dell EMC VASA Virtual Appliance 8.4.0.516 OVA and ISO from Dell EMC Online Support at https://support.emc.com/downloads/40557_VASA-Provider. Registered Dell EMC Online Support customers are recommended to contact Dell EMC Customer Support for all other fixes as they are not available from Dell EMC Online Support download page. Open a Service Request to have the hotfix or ePack installed. Contact Dell EMC Support with any questions. Credits: Dell EMC would like to thank Carlos Perez from Tenable for reporting these vulnerabilities. For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307. Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Legal Information: Read and use the information in this Dell EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact Dell EMC Technical Support at 1-877-534-2867. Dell EMC distributes EMC Security Advisories, in order to bring to the attention of users of the affected Dell EMC products, important security information. Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. Dell EMC Product Security Response Center security_alert@emc.com -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQEcBAEBCgAGBQJagPFFAAoJEHbcu+fsE81ZivMH/0s0r4XFxvW9tL+l8zkGdJIc uRjYTAr5iE4I8PaLw0S/MYVIr2YbpBcaP5QuUbNENWr/aaPHtccE3Gou6Bv72FK0 CU2qMdV9kjWbhHvbIjrnS2RsNjTekWSIDjYJPdkHk03thutYa3Loy7bX42LJe6E7 +slgZjR5zkATMvGis2R/nEj40phxxA+I/dUJIMjbT7emBCSBL5IAlvmuznzChm31 hklk6F/YDI/iOC8GBo0PwNf2F6PBUJbR78B6ppLeHP8AygLdu/AZZX/5eHyDGBiS 8eHATltqjU5I8X7fnjKl8UtoL1ohw72tMROiN9164N2xoJQwasMX6Rs3eNpru2c= =HaYf -----END PGP SIGNATURE-----