VMware Issues 3 Critical Patches for vSphere Data Protection

VMware, a Dell Technologies subsidiary, released several patches Tuesday fixing critical vulnerabilities affecting its vSphere cloud computing virtualization platform.

The bugs address three vulnerabilities in VMware’s vSphere Data Protection (VDP), a backup and recovery solution used with its vSphere platform. According to the company, a remote attacker could exploit the vulnerabilities and take control of an affected systems.

Each of the vulnerabilities (CVE-2017-15548, CVE-2017-15549, CVE-2017-15550) are rated critical. Affected are VDP versions 6.1.x, 6.0.x and 5.x running on VMware’s Virtual Appliances. The company said no workarounds are available.

vSphere Data Protection is a backup solution for use in vSphere environments, and is usually run in tandem with VMware’s vCenter Server and vSphere Web Client.

The VMware security advisory describes one of the vulnerabilities (CVE-2017-15548) as a VDP authentication bypass vulnerability. According to the company, the vulnerability allows a “remote unauthenticated malicious user (to) potentially bypass application authentication and gain unauthorized root access to the affected systems.”

A second VDP upload vulnerability (CVE-2017-15549) allows a “remote authenticated malicious user with low privileges (to) potentially upload arbitrary maliciously crafted files in any location on the server file system.”

Lastly, the vulnerability CVE-2017-15550 is a path traversal vulnerability that allows a “remote authenticated malicious user with low privileges (to) access arbitrary files on the server file system in the context of the running vulnerable application.”

According to VMware, patches are available for each of the vulnerabilities via updates to each of the impacted versions of  vSphere Data Protection. VMware didn’t go into detail on the vulnerabilities.

Last year VMware patched several vulnerabilities tied to its vSphere Data Protection solution including a Java deserialization issue and a second vulnerability in VDP pertaining to how it stores credentials.

Source: ThreatPost

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!