Multiple vulnerabilities in EMC products
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2017-8007 CVE-2017-8012 |
| CWE-ID | CWE-22 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Storage M&R Client/Desktop applications / Other client software VNX M&R Client/Desktop applications / Other client software EMC M&R (Watch4Net) Client/Desktop applications / Other client software EMC ViPR SRM Client/Desktop applications / Software for archiving |
| Vendor | Dell |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Directory traversal
EUVDB-ID: #VU8570
Risk: Low
CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-8007
CWE-ID:
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated attacker to access information on the target system.
The weakness exists due to directory traversal in Webservice Gateway. A remote attacker can with knowledge of Webservice Gateway credentials can supply specially crafted strings in input parameters of the web service call to access, modify or delete data.
Update the software to version 4.1.
Install 6.7.x fox for EMC M&R Watch4net for SAS Solution Packs.
Storage M&R: 4.0.1 - 4.0.3
EMC ViPR SRM: 4.0.1 - 4.0.3
VNX M&R: 4.0.1 - 4.0.3
EMC M&R (Watch4Net): All versions
CPE2.3- cpe:2.3:a:dell:storage_m_and_r:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:storage_m_and_r:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:dell:storage_m_and_r:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:dell:emc_vipr_srm:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:emc_vipr_srm:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:dell:emc_vipr_srm:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:dell:vnx_m_and_r:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:vnx_m_and_r:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:dell:vnx_m_and_r:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:dell:emc_m_and_r_watch4net:*:*:*:*:*:*:*:*
https://seclists.org/fulldisclosure/2017/Sep/51
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper input validation
EUVDB-ID: #VU8571
Risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-8012
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to input validation flaw. A remote attacker can with knowledge of JMX agent user credentials can leverage inherent JMX protocol capabilities to create arbitrary files and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update the software to version 4.1.
Storage M&R: 4.0.1 - 4.0.3
EMC ViPR SRM: 4.0.1 - 4.0.3
VNX M&R: 4.0.1 - 4.0.3
CPE2.3- cpe:2.3:a:dell:storage_m_and_r:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:storage_m_and_r:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:dell:storage_m_and_r:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:dell:emc_vipr_srm:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:emc_vipr_srm:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:dell:emc_vipr_srm:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:dell:vnx_m_and_r:4.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:dell:vnx_m_and_r:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:dell:vnx_m_and_r:4.0.3:*:*:*:*:*:*:*
https://seclists.org/fulldisclosure/2017/Sep/51
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
