Four zero-days found, patched in Arcserve UDP platform

News by Doug Olenick

Digital Defense VRT has revealed for zero-day vulnerabilities in Arcserve Unified Data Protection platform.

The issues found were an unauthenticated sensitive Information disclosure via /gateway/services/EdgeServiceImpl, an unauthenticated XXE in /management/UdpHttpService, an unauthenticated sensitive information disclosure via /UDPUpdates/Config/FullUpdateSettings.xml and a Reflected cross-site scripting flaw via /authenticationendpoint/domain.jsp.

The two unauthenticated information disclosures and the external entity attack could be used by an attacker to gain access to a database and other credentials and to read files on the system hosting the UDP application without authentication. The reflected cross-site scripting issue could be used for phishing, Digital Defense reported.

Arcserve has fixed the issues and the patch needed to update a system is available from Arcserve support.

This article was first published in SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews