EMC M&R (Watch4Net) suffers from heap overflow, remote file upload, insecure cryptographic storage, cross site scripting, ntp-related, java-related, and path traversal vulnerabilities.
7adceeb57a3368887bb1d10e104821dd7f027effb3815bf97aaaae498b047491
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2015-004: EMC M&R (Watch4Net) Multiple Vulnerabilities
EMC Identifier: ESA-2015-004
CVE Identifier: CVE-2015-0513, CVE-2015-0514, CVE-2015-0515, CVE-2015-0516, CVE-2014-4288, CVE-2014-6456, CVE-2014-6457, CVE-2014-6458, CVE-2014-6466, CVE-2014-6468, CVE-2014-6476, CVE-2014-6485, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6504, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6513, CVE-2014-6515, CVE-2014-6517, CVE-2014-6519, CVE-2014-6527, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558, CVE-2014-6562, CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296, CVE-2014-3618
Severity Rating: CVSS v2 Base Score: View details below for individual CVSS score for each CVE
Affected products:
EMC M&R (Watch4Net) versions prior 6.5u1
EMC ViPR SRM versions prior to 3.6.1
Summary:
EMC M&R (Watch4Net) is vulnerable to multiple security vulnerabilities that could be potentially exploited by malicious users to compromise the affected system. EMC ViPR SRM is built on EMC M&R platform and is also affected by these vulnerabilities.
Details:
The vulnerabilities include:
Multiple Oracle Java Runtime Environment (JRE) Vulnerabilities
CVE Identifiers: CVE-2014-4288, CVE-2014-6456, CVE-2014-6457, CVE-2014-6458, CVE-2014-6466, CVE-2014-6468, CVE-2014-6476, CVE-2014-6485, CVE-2014-6492, CVE-2014-6493, CVE-2014-6502, CVE-2014-6503, CVE-2014-6504, CVE-2014-6506, CVE-2014-6511, CVE-2014-6512, CVE-2014-6513, CVE-2014-6515, CVE-2014-6517, CVE-2014-6519, CVE-2014-6527, CVE-2014-6531, CVE-2014-6532, CVE-2014-6558, CVE-2014-6562.
Oracle JRE contains multiple security vulnerabilities. Oracle JRE has been upgraded to 8.0u25 to address these vulnerabilities. See vendor advisory (http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html#AppendixJAVA) for more details.
CVSS v2 Base Score: Please refer to http://nvd.nist.gov/ for the individual CVSS scores for each CVE listed above.
Multiple Cross-Site Scripting Vulnerabilities
CVE Identifier: CVE-2015-0513
Several user-supplied fields in the administrative user interface may be potentially exploited by an authenticated privileged malicious user to conduct cross-site-scripting attacks on other authenticated users of the system.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Insecure Cryptographic Storage Vulnerability
CVE Identifier: CVE-2015-0514
A malicious non-ViPR SRM user with access to an installation of ViPR SRM and knowledge of internal encryption methods could potentially decrypt credentials used for data center discovery.
CVSS v2 Base Score: 5.7 (AV:A/AC:M/Au:N/C:C/I:N/A:N)
Unrestricted File Upload Vulnerability
CVE Identifier: CVE-2015-0515
This vulnerability may potentially be exploited by an authenticated, privileged malicious user to upload arbitrary files into the file system via the web interface.
CVSS v2 Base Score: 6 (AV:N/AC:M/Au:S/C:P/I:P/A:P)
Path Traversal Vulnerability
CVE Identifier: CVE-2015-0516
This vulnerability may potentially be exploited by an authenticated, privileged malicious user to download arbitrary files from the file system via the web interface by manipulating the directory structure in the URL.
CVSS v2 Base Score: 6.8 (AV:N/AC:L/Au:S/C:C/I:N/A:N)
SUSE Procmail Heap Overflow Vulnerability
CVE Identifier: CVE-2014-3618
Procmail was updated to fix a heap-overflow in procmail's formail utility when processing specially-crafted email headers. This issue affects only vApp deployments of the affected software.
CVSS v2 Base Score: Please refer to http://nvd.nist.gov/ for the CVSS score.
NTP Multiple Vulnerabilities
CVE Identifier: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296
NTP was updated to fix multiple vulnerabilities. See vendor advisory http://support.ntp.org/bin/view/Main/SecurityNotice for more details. These issues affect only vApp deployments of the affected software.
CVSS v2 Base Score: Please refer to http://nvd.nist.gov/ for the CVSS scores.
Resolution:
The following version contains the resolution to these issues:
EMC M&R (Watch4Net) 6.5u1 and later
EMC ViPR SRM 3.6.1 and later
EMC strongly recommends all customers upgrade at the earliest opportunity. In addition, customers are recommended to review the Security Configuration Guide distributed with the product for specific instructions on secure configurations of the system.
Link to remedies:
Registered customers can download upgraded software from support.emc.com at https://support.emc.com/downloads/34247_ViPR-SRM
Credits:
EMC would like to thank Han Sahin of Securify B.V. (han.sahin@securify.nl) for reporting CVE-2015-0513 and CVE-2015-0514.
EMC Product Security Response Center
security_alert@emc.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)
iEYEARECAAYFAlS+cwIACgkQtjd2rKp+ALwgrQCfd0XochnaIrLbek4U/Nt5xGHG
PIAAn0inLvHDbgu5c5hZCsWC48CcJVN/
=zSNS
-----END PGP SIGNATURE-----