Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1938 VMware vSphere Data Protection product update addresses a critical information disclosure vulnerability. 24 October 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: VMware vSphere Data Protection Publisher: VMware Operating System: VMware ESX Server Linux variants Windows Impact/Access: Access Privileged Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-4624 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - - ------------------------------------------------------------------------ VMware Security Advisory Advisory ID: VMSA-2014-0011 Synopsis: VMware vSphere Data Protection product update addresses a critical information disclosure vulnerability. Issue date: 2014-10-22 Updated on: 2014-10-22 (Initial Advisory) CVE number: CVE-2014-4624 - - ------------------------------------------------------------------------ 1. Summary VMware vSphere Data Protection product updates address a vulnerability that could lead to sensitive information disclosure. 2. Relevant releases VMware vSphere Data Protection 5.5 prior to 5.5.7 3. Problem Description a. VMware vSphere Data Protection (VDP) contains a vulnerability that may allow a remote user to retrieve sensitive account credentials from the affected VDP server using Java API calls. No authentication to the VDP server is required for this potential attack. Exposed information includes MCUser and GSAN account passwords of all grid systems that are being monitored in VPD Enterprise Manager. VMware would like to thank Jakub Mleczko from the Orange Poland security team for reporting this issue to EMC and the EMC Product Security Response Center for working with us on the issue. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-4624 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======= ======= ================= VDP 5.8 any not affected VDP 5.5 any 5.5.7 VDP 5.1 any not affected 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. VMware vSphere Data Protection ---------- Downloads: https://my.vmware.com/web/vmware/details?productId=375&downloadGroup=VDPADV 55_7 Documentation: https://www.vmware.com/support/vdr/doc/vdp_557_releasenotes.html 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4624 - - ------------------------------------------------------------------------ 6. Change log 2014-10-22 VMSA-2014-0011 Initial security advisory for VDP 5.5.7 which was on released on 2014-10-09. - - ------------------------------------------------------------------------ 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: security-announce at lists.vmware.com bugtraq at securityfocus.com fulldisclosure at seclists.org E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware Security Response Policy https://www.vmware.com/support/policies/security_response.html VMware Lifecycle Support Phases https://www.vmware.com/support/policies/lifecycle.html Twitter https://twitter.com/VMwareSRC Copyright 2014 VMware Inc. All rights reserved. - -----BEGIN PGP SIGNATURE----- Version: Encryption Desktop 10.3.0 (Build 8741) Charset: utf-8 wj8DBQFUSEgTDEcm8Vbi9kMRArgSAJ9wGYfsOIejER040ui9UWbs6CIm+QCeMuEX av3pKCx1Cd5lnAoT7FRtxDI= =UJmN - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVEm0rhLndAQH1ShLAQIAdA//f7QyqEko4HP2IMVbtY/nn27ZKj+S+j2P IPOi6yCTDMrOgNwwCfWYUaLCn4pHQ+mDYIAQMAoy+Stip9LydS9n2WDjDtwryvGS H6gM77LwdBnfTnjPcwUb6TmkybV7lMYkpwS601O25RNQJlVxj7/bxS9lAT+FIImQ i1LnfuU7vs+vYjCrj08y6/Iom0YAivV0flwfxHww3m+f6RNc024HF3gHiJBIMPp5 mKkaIw2aTNZnB+8sGzb+Rd88JOR2BoyadExPtCBtPklwPdjGMXS+gRbftFnIrV7t mMgldCdhWUahQlmrVtghv466+OVK5Ya2dhsSv0Jo/3xnM6uZlELaq4/JRg3VTmu9 BBc6DAPPV7NzrgoqJcjX8pF+B3OFjyCCodb80g2KycQKukwpDHs0wDx5CDMvWeMI teUSxxgQUjZRQPIg2IQ+ilcyEC24rldI77ot0j46zkHsY2lKjpC4cu8a3lOE1uPS l125GlfEM0yqNfmGHNfQT7lpvZD/AKLdGNMEupI3GTitEid2xIBPmf3lM+BM4l0m ZfzpPLxETIPQWi9IOyQJBIVCDwIJB5gSLTjPO65zllrdQOuwBo72ambYbQrisneL 8Tc1JE97eq4IKkPlCz8UkWYTRGt6Y9PSLX/UcDiDsK8Mrr5RFWuc0qq4j73i42A+ uY++Ocd9eUI= =uzZg -----END PGP SIGNATURE-----