Attention, vSphere VDP backup admins: There is a little remote root hole you need to patch...

And two other security bugs

VMware on Tuesday published a security advisory for its vSphere Data Protection (VDP) backup and recovery product.

The virtualization giant identified three vulnerabilities, one of which it deems critical, with the two others categorized as important.

The issues affect VDP 5.x, 6.0.x, and 6.1.x.

CVE-2017-15548 is the critical flaw, which the biz described as a remote authentication bypass. If exploited, it could allow a remote unauthenticated attacker to bypass authentication protections, and gain root control of the server.

The second flaw, CVE-2017-15549, could allow arbitrary file uploads to an affected system from a remote authenticated user with low privileges.

The third, CVE-2017-15550, is a path traversal vulnerability. According to VMware, a remote authenticated user with low privileges could use the flaw to access files on an affected system in the context of the vulnerable app.

Further details about the vulnerabilities were not immediately available.

VMware has published patches to fix things, with version 6.1.6 as the update path for 6.1 users and version 6.0.7 for those using 6.0.x or 5.x. ®




Biting the hand that feeds IT © 1998–2018