Vulnerabilities > CVE-2017-4914 - Deserialization of Untrusted Data vulnerability in VMWare Vsphere Data Protection
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
VMware vSphere Data Protection (VDP) 6.1.x, 6.0.x, 5.8.x, and 5.5.x contains a deserialization issue. Exploitation of this issue may allow a remote attacker to execute commands on the appliance.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description | VMware vSphere Data Protection 5.x/6.x - Java Deserialization. CVE-2017-4914. Remote exploit for Multiple platform |
file | exploits/multiple/remote/42152.py |
id | EDB-ID:42152 |
last seen | 2017-06-11 |
modified | 2017-06-10 |
platform | multiple |
port | |
published | 2017-06-10 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/42152/ |
title | VMware vSphere Data Protection 5.x/6.x - Java Deserialization |
type | remote |
Nessus
NASL family | Misc. |
NASL id | VMWARE_VSPHERE_DATA_PROTECTION_VMSA-2017-0010.NASL |
description | The version of VMware vSphere Data Protection installed on the remote host is 5.5.x, 5.8.x, or 6.0.x prior to 6.0.5, or it is 6.1.x prior to 6.1.14. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists when handling Java deserialization that allows an unauthenticated, remote attacker to execute arbitrary commands on the appliance. (CVE-2017-4914) - An information disclosure vulnerability exists due to using a weak encryption algorithm that allows a local attacker to disclose credentials. (CVE-2017-4917) |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 100717 |
published | 2017-06-09 |
reporter | This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/100717 |
title | VMware vSphere Data Protection 5.5.x / 5.8.x / 6.0.x < 6.0.5 / 6.1.x < 6.1.4 Multiple Vulnerabilities (VMSA-2017-0010 |
code |
|
Packetstorm
data source | https://packetstormsecurity.com/files/download/142901/vmwarevsphere-deserialize.txt |
id | PACKETSTORM:142901 |
last seen | 2017-06-13 |
published | 2017-06-12 |
reporter | Kelly Correll |
source | https://packetstormsecurity.com/files/142901/VMware-vSphere-Data-Protection-5.x-6.x-Java-Deserialization.html |
title | VMware vSphere Data Protection 5.x / 6.x Java Deserialization |
Seebug
bulletinFamily | exploit |
description | No description provided by source. |
id | SSV:93194 |
last seen | 2017-11-19 |
modified | 2017-06-12 |
published | 2017-06-12 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-93194 |
title | VMware vSphere Data Protection 5.x/6.x - Java Deserialization(CVE-2017-4914) |
References
- http://www.securityfocus.com/bid/98939
- http://www.securityfocus.com/bid/98939
- http://www.securitytracker.com/id/1038617
- http://www.securitytracker.com/id/1038617
- http://www.vmware.com/security/advisories/VMSA-2017-0010.html
- http://www.vmware.com/security/advisories/VMSA-2017-0010.html
- https://www.exploit-db.com/exploits/42152/
- https://www.exploit-db.com/exploits/42152/