lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 6 Sep 2017 14:10:11 +0000
From: EMC Product Security Response Center <Security_Alert@....com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] ESA-2017-099: EMC AppSync SQL Injection Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-099: EMC AppSync SQL Injection Vulnerability

EMC Identifier: ESA-2017-099
CVE Identifier: CVE-2017-8015
Severity Rating: CVSS v3 Base Score: 8.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L)

Affected products:  
EMC AppSync all versions prior to 3.5

Summary:  
EMC AppSync contains a SQL injection vulnerability that could potentially be exploited by malicious users to compromise the affected system. 
Details:  

EMC AppSync is affected by a SQL injection vulnerability.  Attackers could potentially exploit this vulnerability to access information, modify data or disrupt certain services by causing execution of arbitrary SQL commands on the application using default Apollo framework user accounts "apollo" and "test". 

Resolution:  
The following EMC AppSync release contains resolution to this vulnerability: 
*	EMC AppSync version 3.5 and later (security patch "AppSync Security Update for SQL Injection Vulnerability" is required on top of version 3.5)

As part of mitigation, default Apollo framework user accounts "apollo" and "test" have been also removed as they are not used by AppSync application. 

EMC recommends all customers upgrade at the earliest opportunity. 

Link to remedies:

Customers can download AppSync 3.5 software from https://support.emc.com/downloads/25364_AppSync
Customers can download the security patch "AppSync Security Update for SQL Injection Vulnerability" from https://download.emc.com/downloads/DL86269 


Credit:
EMC would like to thank rgod working with Trend Micro's Zero Day Initiative for reporting this vulnerability.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZr//7AAoJEHbcu+fsE81ZIx8IAINfysHyM6BKb8SHjOJHKj/5
xgQ4DMSTE3CCK91Uo4J47G19C3eas5nfMjiHz4/0+laqSqLePOkckK63zMteH7WE
2WNOJXQwRoJtDV0xPt6WlJgkCgvk4o5u+KdYJUG98YJWZBAlU1zuTQ3HgJf3UgKW
2WTvprKLY+jl6QuMu3K5Sr4OlU+Vy0X+uspqaOZ1L+ITf9oHWrPvQnMqjXoniOcO
wtjKOCCxUciXVIowPcX7S8DH9ikZO0mCj2s88HjGu5gI6fEx1VOCne8tssbbKvoB
pvGFtNSbeJ/EcoAyA9SORH9urzS9kxd6891+QiJzgIkqfP1LBJ36XywtRA73sN0=
=E38G
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists