lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1BF8853173D9704A93EF882F85952A89337644@MX304CL04.corp.emc.com>
Date: Mon, 30 Oct 2017 15:58:33 +0000
From: EMC Product Security Response Center <Security_Alert@....com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] ESA-2017-141: EMC AppSync Hardcoded Password Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-141: EMC AppSync Hardcoded Password Vulnerability

EMC Identifier: ESA-2017-141
CVE Identifier: CVE-2017-14376
Severity Rating: CVSS v3 Base Score: 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected products:  
EMC AppSync Server versions prior to 3.5.0.1

Summary:  
EMC AppSync contains database accounts with hardcoded passwords that could potentially be exploited by malicious users to compromise the affected system. 
Details:  
EMC AppSync contains hardcoded passwords for database accounts with administrative privileges. Affected accounts are "apollosuperuser" and "apollouser".  An attacker with local access to the database and knowledge of the password may potentially gain unauthorized access to the database. Note: Remote access to AppSync PostgreSQL is disabled. 

Resolution:  
The following EMC AppSync release contains resolutions to this vulnerability:
*	EMC AppSync Sever version 3.5.0.1

EMC recommends all customers upgrade at the earliest opportunity. 

Link to remedies:

Customers can download software from https://download.emc.com/downloads/DL86785
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZ7h0YAAoJEHbcu+fsE81Zz9kIAJ3puILiaWmCsebGYVo22dYo
Qms98bsMF0zGca2In42vf6gCnpm0AmCgSjBGUpqH3v4HsDljmpoPxyrgQ0KHnkSz
WbjfUfmsQUeDqvjAVlnafUpJoKkRjaQGV8dAi4g16WNeiUDhk1iQF75tes9DQwlL
mCEpyFWOVc3lXgTt6jJ89PxB0sJ+k+UB28iEhbIMzMLCuAXdb6g7oCgWu1zvNYE5
BWrM633vsYIg9jB7kYeRtiLcErOJzxCX83z2CtQ05GJSBwi1Kzlm3kGuOXgltWqB
U6qUnkv+1UTeK6mm3xdA/UopTTuQHMla9esF0XQoU2uYDkwAMofvtUuthEp9QKk=
=9qT5
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ