On 6th of June 2017, VMware released the following new and updated security advisories:
VMSA-2017-0010 – vSphere Data Protection (VDP) updates address multiple security issues.
This new security advisory documents two issues.
VDP contains a deserialization issue (CVE-2017-4914). Exploitation of this issue may allow a remote attacker to execute commands on the appliance. VMware would like to thank Tim Roberts, Arthur Chilipweli, and Kelly Correll from NTT Security for reporting this issue to us.
VDP locally stores vCenter Server credentials using reversible encryption (CVE-2017-4917). This issue may allow plaintext credentials to be obtained. VMware would like to thank Marc Ströbel aka phroxvs from HvS-Consulting for reporting this issue to VMware.
These issues have been addressed in VDP 6.1.4 and 6.0.5.
VMware has released the following updated security advisory:
VMSA-2016-0024.1 – vSphere Data Protection (VDP) updates address SSH key-based authentication issue
This issue has been addressed in VDP 6.1.4 and 6.0.5.
Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.
Customers should review the security advisories and direct any questions to VMware Support.