[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1BF8853173D9704A93EF882F85952A89337644@MX304CL04.corp.emc.com>
Date: Mon, 30 Oct 2017 15:58:33 +0000
From: EMC Product Security Response Center <Security_Alert@....com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] ESA-2017-141: EMC AppSync Hardcoded Password Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
ESA-2017-141: EMC AppSync Hardcoded Password Vulnerability
EMC Identifier: ESA-2017-141
CVE Identifier: CVE-2017-14376
Severity Rating: CVSS v3 Base Score: 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected products:
EMC AppSync Server versions prior to 3.5.0.1
Summary:
EMC AppSync contains database accounts with hardcoded passwords that could potentially be exploited by malicious users to compromise the affected system.
Details:
EMC AppSync contains hardcoded passwords for database accounts with administrative privileges. Affected accounts are "apollosuperuser" and "apollouser". An attacker with local access to the database and knowledge of the password may potentially gain unauthorized access to the database. Note: Remote access to AppSync PostgreSQL is disabled.
Resolution:
The following EMC AppSync release contains resolutions to this vulnerability:
* EMC AppSync Sever version 3.5.0.1
EMC recommends all customers upgrade at the earliest opportunity.
Link to remedies:
Customers can download software from https://download.emc.com/downloads/DL86785
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZ7h0YAAoJEHbcu+fsE81Zz9kIAJ3puILiaWmCsebGYVo22dYo
Qms98bsMF0zGca2In42vf6gCnpm0AmCgSjBGUpqH3v4HsDljmpoPxyrgQ0KHnkSz
WbjfUfmsQUeDqvjAVlnafUpJoKkRjaQGV8dAi4g16WNeiUDhk1iQF75tes9DQwlL
mCEpyFWOVc3lXgTt6jJ89PxB0sJ+k+UB28iEhbIMzMLCuAXdb6g7oCgWu1zvNYE5
BWrM633vsYIg9jB7kYeRtiLcErOJzxCX83z2CtQ05GJSBwi1Kzlm3kGuOXgltWqB
U6qUnkv+1UTeK6mm3xdA/UopTTuQHMla9esF0XQoU2uYDkwAMofvtUuthEp9QKk=
=9qT5
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists