Last Updated: 2018-11-20 21:59:45 UTC
by Xavier Mertens (Version: 1)
VMware notified us that they released a new security bulletin (rated as "critical") which affects vSphere Data Protection (VDP).
VDP is vulnerable because it is based on Dell EMC Avamar Virtual Edition. Multiple vulnerabilities have been disclosed today in this solution:
- A remote code execution vulnerability (CVE-2018-11066): A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary commands on the server.
- An open redirection vulnerability (CVE-2018-11067): A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites.
Patches are available for both products.
This is a perfect example of how a product 'A' can affect a product 'B' when technologies are reused across multiple solutions.
Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant