VMware repairs three critical bugs in vSphere Data Protection

News by Bradley Barth

VMware issued patches on Wednesday for a trio of critical vulnerabilities in its vSphere Data Protection backup and recovery solution. The problem was found in versions 6.1.x, 6.0.x, and 5.x, and repaired in versions 6.1.6 and 6.0.7.

VMware issued patches on Wednesday for a trio of critical vulnerabilities in its vSphere Data Protection disk-based backup and recovery solution. In all three cases, the problem was found in versions 6.1.x, 6.0.x, and 5.x, and repaired in versions 6.1.6 and 6.0.7.

The first corrected bug is an application authentication bypass vulnerability, designated CVE-2017-15548, that can be exploited by remote, unauthenticated attackers to gain root access to an affected system.

The second flaw, CVE-2017-15549, is an arbitrary file upload vulnerability, which remote, authenticated attackers with low privileges can exploit to introduce maliciously crafted files into any location on the server file system.

Finally, VMware also fixed CVE-2017-15550, a path traversal vulnerability that, according to the company's official security advisory, can allow a remote authenticated malicious user with low privileges to “access arbitrary files on the server file system in the context of the running vulnerable application.”

VMware is a subsidiary of Dell Technologies.

Topics:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events