[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] ESA-2017-141: EMC AppSync Hardcoded Password Vulnerability
From: EMC Product Security Response Center <Security_Alert () emc ! com>
Date: 2017-10-30 15:58:33
Message-ID: 1BF8853173D9704A93EF882F85952A89337644 () MX304CL04 ! corp ! emc ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
ESA-2017-141: EMC AppSync Hardcoded Password Vulnerability
EMC Identifier: ESA-2017-141
CVE Identifier: CVE-2017-14376
Severity Rating: CVSS v3 Base Score: 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected products:
EMC AppSync Server versions prior to 3.5.0.1
Summary:
EMC AppSync contains database accounts with hardcoded passwords that could potentially be \
exploited by malicious users to compromise the affected system.
Details:
EMC AppSync contains hardcoded passwords for database accounts with administrative privileges. \
Affected accounts are "apollosuperuser" and "apollouser". An attacker with local access to the \
database and knowledge of the password may potentially gain unauthorized access to the \
database. Note: Remote access to AppSync PostgreSQL is disabled.
Resolution:
The following EMC AppSync release contains resolutions to this vulnerability:
* EMC AppSync Sever version 3.5.0.1
EMC recommends all customers upgrade at the earliest opportunity.
Link to remedies:
Customers can download software from https://download.emc.com/downloads/DL86785
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZ7h0YAAoJEHbcu+fsE81Zz9kIAJ3puILiaWmCsebGYVo22dYo
Qms98bsMF0zGca2In42vf6gCnpm0AmCgSjBGUpqH3v4HsDljmpoPxyrgQ0KHnkSz
WbjfUfmsQUeDqvjAVlnafUpJoKkRjaQGV8dAi4g16WNeiUDhk1iQF75tes9DQwlL
mCEpyFWOVc3lXgTt6jJ89PxB0sJ+k+UB28iEhbIMzMLCuAXdb6g7oCgWu1zvNYE5
BWrM633vsYIg9jB7kYeRtiLcErOJzxCX83z2CtQ05GJSBwi1Kzlm3kGuOXgltWqB
U6qUnkv+1UTeK6mm3xdA/UopTTuQHMla9esF0XQoU2uYDkwAMofvtUuthEp9QKk=
=9qT5
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic