New VMware Security Advisory VMSA-2018-0001
On January 2nd 2018 VMware released the following new security advisory:
VMSA-2018-0001 – vSphere Data Protection (VDP) updates address multiple security issues.
This documents several critical severity issues affecting VDP.
Issue (a) is an authenication bypass vulnerability (CVE-2017-15548). A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems.
Issue (b) is an arbitrary file upload vulnerability (CVE-2017-15549). A remote authenticated malicious user with low privileges could potentially upload arbitrary maliciously crafted files in any location on the server file system.
Issue (c) is a path traversal vulnerability (CVE-2017-15550). A remote authenticated malicious user with low privileges could access arbitrary files on the server file system in the context of the running vulnerable application.
These issues have been addressed in VDP 6.1.6 and 6.0.7.
Please sign up to the Security-Announce mailing list to receive new and updated VMware Security Advisories.
Customers should review the security advisories and direct any questions to VMware Support.