VMware has been forced to issue fixes for newly discovered vulnerabilities in its vSphere Data Protection (VDP) product, one of them critical.
The virtualization giant’s latest security advisory published this week, addresses three vulnerabilities in the virtual machine back-up and recovery product.
The first, CVE-2017-15548, is an authentication bypass vulnerability which could allow a remote attacker to bypass application authentication and gain unauthorized root access to targeted systems.
The second vulnerability addressed by the update is CVE-2017-15549; a file upload flaw which could allow a hacker to upload arbitrary malicious files in any location on the server file system.
Although the attack only works if the hacker is authentication, they only require “low privileges” to make it work, according to VMware.
The third flaw, CVE-2017-15550, is a path traversal flaw which could allow a remote authenticated attacker with low privileges to “access arbitrary files on the server file system in the context of the running vulnerable application.”
The above security issues affect versions 5.x, 6.0.x and 6.1.x of the popular VDP product. VMware has issued patches to fix the issues in the form of updates 6.1.6 for users on the latter and 6.0.7 for users on the other affected versions.
However, system administrators may be forgiven for having other things on their minds this week after 2018 got off to a bad start with revelations of major chip-level vulnerabilities Meltdown and Spectre.
The three variants have huge implications for the security of PCs, mobile devices and cloud systems, with vendors including Intel, AMD, Amazon, Microsoft, Google and others in the process of rapidly issuing patches and workarounds where they can.