SB2017060701 - Two vulnerabilities in VMware vSphere Data Protection
Published: June 7, 2017
Security Bulletin ID
SB2017060701
Severity
High
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2017-4917)
The vulnerability allows a local attacker to obtain potentially sensitive information on a targeted system.The weakness exists due to improper security restrictions imposed by the affected software. A local attacker can gain access to server credentials in plaintext format.
Successful exploitation of the vulnerability results in information disclosure.
2) Deserialization of Untrusted Data (CVE-ID: CVE-2017-4914)
The vulnerability allows a remote unauthenticated attacker to execute arbitrary commands on a targeted system.The weakness exists due to insecure deserialization of user-supplied content by the affected software. A remote attacker can submit specially crafted, serialized Java objects containing malicious commands and execute arbitrary code.
Successful exploitation of the vulnerability may result in system compromise.
Remediation
Install update from vendor's website.