HackDig : Dig high-quality web security articles for hacker

ESA-2017-099: EMC AppSync SQL Injection Vulnerability

2017-09-08 11:20
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

ESA-2017-099: EMC AppSync SQL Injection Vulnerability

EMC Identifier: ESA-2017-099
CVE Identifier: CVE-2017-8015
Severity Rating: CVSS v3 Base Score: 8.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L)

Affected products:
EMC AppSync all versions prior to 3.5

Summary:
EMC AppSync contains a SQL injection vulnerability that could potentially be exploited by malicious users to compromise
the affected system.
Details:

EMC AppSync is affected by a SQL injection vulnerability. Attackers could potentially exploit this vulnerability to
access information, modify data or disrupt certain services by causing execution of arbitrary SQL commands on the
application using default Apollo framework user accounts "apollo" and "test".

Resolution:
The following EMC AppSync release contains resolution to this vulnerability:
* EMC AppSync version 3.5 and later (security patch "AppSync Security Update for SQL Injection Vulnerability" is
required on top of version 3.5)

As part of mitigation, default Apollo framework user accounts "apollo" and "test" have been also removed as they are
not used by AppSync application.

EMC recommends all customers upgrade at the earliest opportunity.

Link to remedies:

Customers can download AppSync 3.5 software from https://support.emc.com/downloads/25364_AppSync
Customers can download the security patch "AppSync Security Update for SQL Injection Vulnerability" from
https://download.emc.com/downloads/DL86269


Credit:
EMC would like to thank rgod working with Trend Micro's Zero Day Initiative for reporting this vulnerability.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJZr//7AAoJEHbcu+fsE81ZIx8IAINfysHyM6BKb8SHjOJHKj/5
xgQ4DMSTE3CCK91Uo4J47G19C3eas5nfMjiHz4/0+laqSqLePOkckK63zMteH7WE
2WNOJXQwRoJtDV0xPt6WlJgkCgvk4o5u+KdYJUG98YJWZBAlU1zuTQ3HgJf3UgKW
2WTvprKLY+jl6QuMu3K5Sr4OlU+Vy0X+uspqaOZ1L+ITf9oHWrPvQnMqjXoniOcO
wtjKOCCxUciXVIowPcX7S8DH9ikZO0mCj2s88HjGu5gI6fEx1VOCne8tssbbKvoB
pvGFtNSbeJ/EcoAyA9SORH9urzS9kxd6891+QiJzgIkqfP1LBJ36XywtRA73sN0=
=E38G
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/


Source: 41/peS/7102/erusolcsidlluf/gro.stsilces

Read:362 | Comments:0 | Tags: Vulnerability

“ESA-2017-099: EMC AppSync SQL Injection Vulnerability”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)

Tools

Tag Cloud