NEW VMSA-2014-0011 VMware vSphere Data Protection product update addresses a critical information disclosure vulnerability

VMware Security Advisory

Advisory ID: VMSA-2014-0011
Synopsis:    VMware vSphere Data Protection product update addresses a
             critical information disclosure vulnerability.
Issue date:  2014-10-22
Updated on:  2014-10-22 (Initial Advisory)
CVE number:  CVE-2014-4624

- ------------------------------------------------------------
------------

1. Summary

    VMware vSphere Data Protection product updates address a
    vulnerability that could lead to sensitive information disclosure.


2. Relevant releases

   VMware vSphere Data Protection 5.5 prior to 5.5.7


3. Problem Description

   a. VMware vSphere Data Protection (VDP) contains a vulnerability that
      may allow a remote user to retrieve sensitive account credentials
      from the affected VDP server using Java API calls. No
      authentication to the VDP server is required for this potential
      attack. Exposed information includes MCUser and GSAN account
      passwords of all grid systems that are being monitored in VPD
      Enterprise Manager.

      VMware would like to thank Jakub Mleczko from the Orange Poland
      security team for reporting this issue to EMC and the EMC Product
      Security Response Center for working with us on the issue.

      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the identifier CVE-2014-4624 to this issue.

      Column 4 of the following table lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      VMware         Product    Running    Replace with/
      Product        Version    on           Apply Patch
      =============  =======    =======    =================
      VDP            5.8        any       not affected
      VDP            5.5        any       5.5.7
      VDP            5.1        any       not affected


4. Solution

   Please review the patch/release notes for your product and version
   and verify the checksum of your downloaded file.

   VMware vSphere Data Protection
   ----------
   Downloads:

https://my.vmware.com/web/vmware/details?productId=375&downloadGroup=VDPADV
55_7

   Documentation:
   https://www.vmware.com/support/vdr/doc/vdp_557_releasenotes.html


5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4624


- ------------------------------------------------------------------------

6. Change log

   2014-10-22 VMSA-2014-0011
   Initial security advisory for VDP 5.5.7 which was on released on
   2014-10-09.

- ------------------------------------------------------------------------

7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html

   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved