[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] DSA-2018-158: Dell EMC ESRS Policy Manager Remote Code Execution Vulnerability
From: <secure () Dell ! com>
Date: 2018-09-24 16:24:31
Message-ID: 1e433553fdf34a47ae88d62a1e27e815 () AUSX13MPS306 ! AMER ! DELL ! COM
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
DSA-2018-158: Dell EMC ESRS Policy Manager Remote Code Execution Vulnerability
Dell EMC Identifier: DSA-2018-158
CVE Identifier: CVE-2018-15764
Severity Rating: Critical
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected products:
Dell EMC ESRS Policy Manager, all versions.
Summary:
Dell EMC ESRS Policy Manager requires a workaround to address a remote code execution \
vulnerability that could potentially be exploited by malicious users to compromise the affected \
system.
Details:
Dell EMC ESRS Policy Manager versions 6.8 and prior contain a remote code execution \
vulnerability due to improper configurations of triggered JMX services. A remote \
unauthenticated attacker may potentially exploit this vulnerability to execute arbitrary code \
in the server's JVM.
Resolution:
Dell EMC recommends all customers disable the JMX service at the earliest opportunity. Follow \
the steps documented in KB Article 522932, Dell EMC ESRS Policy Manager 6.x: How to disable \
JMX-RMI from listening on ports 32850 and 32851<https://support.emc.com/kb/522932>
Severity Rating
For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307 \
(https://support.emc.com/kb/468307). Dell EMC recommends all customers take into account both \
the base score and any relevant temporal and environmental scores which may impact the \
potential severity associated with particular security vulnerability.
Legal Information
Read and use the information in this Dell EMC Security Advisory to assist in avoiding any \
situation that might arise from the problems described herein. If you have any questions \
regarding this advisory, contact Dell EMC Technical Support \
(https://support.emc.com/servicecenter/contactEMC/). Dell EMC distributes Dell EMC Security \
Advisories, in order to bring to the attention of users of the affected Dell EMC products, \
important security information. Dell EMC recommends that all users determine the applicability \
of this information to their individual situations and take appropriate action. The information \
set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all \
warranties, either express or implied, including the warranties of merchantability, fitness for \
a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, \
be liable for any damages whatsoever including direct, indirect, incidental, consequential, \
loss of bus iness profits or special damages, even if Dell EMC or its suppliers have been \
advised of the possibility of such damages. Some states do not allow the exclusion or \
limitation of liability for consequential or incidental damages, so the foregoing limitation \
may not apply.
Dell Product Security Incident Response Team
secure@dell.com<mailto:secure@dell.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEP5nobPoCj3pTvhAZgSlofD2Yi6cFAlupDNsACgkQgSlofD2Y
i6eWVQ/+IcNsIDQzo6YnUnsvIMTOYXjAunHG2Ryrtb89XI3eVN30j5r9V3J/LvZ8
e3vEFJ/C3KsXj/yEv5c/vNeeLaqGMpSVmJM96+l6SEc76I5LFxzGe5r4MmdsO0k5
Eb7K5YUwEI8OQRt4Jtod16tYzejXiZ74DU+K2VDb6Cfh1ox0mXxD9G0bdqxcztTY
zm9Ot8jTA5I5Xielt1RnIRYiU5HeOcCDiegGRXsAlJ58ISk529BLWJzvLn1tW0OW
5XUrJvNVzE5pYFjDCTfUJNGA4j/ZIHP9WpW0L5wHiGLrUiTbzfJotc6PuxH0j4BT
ekFOcrRZi3r+axTRIaon3IpY89C1wBv17sd2vYtttDIjJ0KjMBT4QbrooxOLlMwH
BZP2KzmwL3a77/nnx/hONj1syPD3FQX/utB9DUk5r6rL/GZB7CFKWXI/nQVdYcrO
BSNQG60uUDjK+sKaFhWrqqifcId46Fr27BuLdJ5/EQpeOgc7fZEtaTBg1NsJ43c7
vtbRsz7xorAN7lwZBoz9a5mrfeJq7CgWTM9gpTYpXxPhEBZsM6k4wLSA8a7IBK3P
eks7bQaU+zQrkVp8KIMCpQJfcnzGIF/nKV0/1KBQgx8vWnul8I0rOmwQJsdbF+Gs
0Tcbl6+dMRrwhftYJSW5IrBIA8KcyIRbMvkEwjWVQdznWYtuBGg=
=SYEg
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic