VCE Vision(TM) Intelligent Operations Cryptographic / Cleartext Issues

2015.06.18
Credit: VCE
Risk: Medium
Local: No
Remote: Yes
CWE: N/A

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 VCE3570: VCE Vision(TM) Intelligent Operations Cryptographic and Cleartext Vulnerabilities CVE Identifier: CVE-2015-4056, CVE-2015-4057 Severity Rating: CVSSv2 Base Score: See below for individual scores for each CVE Affected products: VCE Vision Intelligent Operations prior to 2.6.5 Summary: VCE Vision(TM) software versions prior to 2.6.5 have been identified to contain security vulnerabilities that may potentially be leveraged by a malicious user to obtain sensitive information Details: Weak Cryptographic Scheme (CVE-2015-4056) Weak cryptographic scheme in the VCE Vision(TM) System Library that can result in access to sensitive information by an authenticated administrative user Exploitation requires that an attacker login as root to a VCE Vision System Library virtual machine where the potential exists for sensitive system credential information in several VCE Vision application configuration files to be accessed in an unauthorized manner. CVSS v2 Base Score: 6.6 (AV:L/AC:M/Au:N/C:C/I:C/A:P) Cleartext Transmission (CVE-2015-4057) Cleartext transmission issue in the VCE Vision(TM) Plug-in for VMware vCenter for VCE Vision software that could be exploited by attackers to obtain password information The VCE Vision admin user password is reflected in cleartext when the user loads the Settings screen of the VCE Vision Plug-in for VMware vCenter via a web browser. CVSS v2 Base Score: 5.4 (AV:A/AC:M/Au:N/C:P/I:P/A:P) Resolution: These vulnerabilities are fixed in VCE Vision software 2.6.5 and above. Customers should upgrade to VCE Vision software 2.6.5 at their earliest opportunity. Link to remedies: VCE Vision software version 2.6.5 can be located within the VCE(TM) Download Center by logging into http://support.vce.com > VCE Download Center > VCE Software and VCE Software Documentation for VCE Converged Infrastructure Systems>Respective Vblock VCE Software Addendum You can find the VCE Vision software version 2.6.5 upgrade guide in the VCE Download Center by logging into http://support.vce.com > VCE Download Center > respective Vblock System model >VBXXX VCE Software Documentation>VCE Vision Intelligent Operations Documentation for Vblock System XXX If you have any questions, contact VCE(TM) Support. Read and use the information in this VCE Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact VCE Technical Support. VCE recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. VCE Company, LLC distributes VCE Security Advisories, in order to bring to the attention of users of the affected VCE products, important security information. VCE recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. VCE disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall VCE or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if VCE or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. VCE Product Security Incident Response Team vcepsirt () vce com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVgO5aAAoJEFsFEWrxf5544rgQAM0RYTqP7KI8rfVGuArJXBwc yEbEgv0Fc7rv8k1LWAIxRni1S+5mZtiIw+RXQUbsy7s3uh4ro1Wmp+XwbutTHQpb Cp2Nd0REkVm24hpyEGlcGvhicnEsKj27gqNUkYi8h/mCK4pqEU3wfw4SbfKF4bpv Nn85xwxDmC2TwJHJGGbRwPcx1pgAWO7sYHSpO0JAvKlf2Yrvw5FS2tzLEdJ/Te6K nJ4of77v+7CvnmJ7peskvgOdnIEmLUT6nZwi0TcIT/htm5N29qIfdq8kafEwMSmU jrpqWI6XEQtPm6F6jm/5CvT4rJm8Uaa9jcCA9t+XSF0116Ovkj3AiWNmegK21Cfa VWTYn7a/eV1+BTItr+yXISa8oqQMhAM7E25ALxHvXYCeG1xzxUNFjeJ/zh80JN+G UoZBPn4tUK6cVZuKcECW4blXirP73R8+H/xQFkKqRI5COgKgW0urJAW9WEgufyax CjTR3eQjtfztmiQYmUXSp6EdK/cRi6tFWUTZFRvqvWJ+3+28TeNs8+nyWBFF+Jro IWtFx+npyOnCP+jTsFHu4vaOuq6DOusu9kaf+WQk/R7O6BqosTCbL3Xnie8OeM8T 56Nq6NNtmXa2gVNceDcAfACD1kkzxviaZWBvMERMvUp+ELBGRxgwVkPiCKWMmoUW mJBCpzsvzdVN8ZWKcWXE =oRil -----END PGP SIGNATURE-----


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top