VASA Provider Virtual Appliance versions prior to 8.3.x may potentially be vulnerable to an unauthenticated remote code execution vulnerability. An unauthenticated remote attacker could upload a malicious file to run arbitrary code on the system with root privileges.
VASA Provider Virtual Appliance Remote Code Execution Vulnerability
CVE Identifier: CVE-2017-4997
Severity Rating: CVSS v3 Base Score: 8.3 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L)
Affected products:
VASA Provider Virtual Appliance versions 8.3.x and prior
Summary:
VASA Provider Virtual Appliance contains a fix for an unauthenticated remote code execution vulnerability that could potentially be exploited by malicious users to compromise the affected system.
Details:
VASA Provider Virtual Appliance versions prior to 8.3.x may potentially be vulnerable to an unauthenticated remote code execution vulnerability. An unauthenticated remote attacker could upload a malicious file to run arbitrary code on the system with root privileges.
Resolution:
The following VASA Provider Virtual Appliance release contains a resolution to this vulnerability:
VASA Provider Virtual Appliance 8.4.0
EMC recommends all customers upgrade at the earliest opportunity.
Link to remedies:
Customers can download software from https://support.emc.com/downloads/40557_VASA-Provider
Credits: EMC would like to thank rgod, working with Trend Micro's Zero Day Initiative for reporting this vulnerability.
# 0day.today [2018-01-10] #