This post is also available in: Italian

Reading Time: 3 minutes

As you probably know, VMware vSphere Data Protection (VDP) is the builtin “backup solution” for vSphere and was first introduced with vSphere 5.1 (see VDP: the new VDR in vSphere 5.1). But VMware has decided its End of Availability (EOA) and VMware vSphere 6.5 was the last release to include vSphere Data Protection and future vSphere releases will no longer include this product.

VMware want to focusing its investments on vSphere Storage APIs – Data Protection to further strengthen the vSphere backup partner ecosystem that provides better 3rd part native backup products. For sure it’s a great sign for the backup and data protection ecosystem.

Anyway there are still customer using this product and maybe it’s time to change it.

Also considering the several recent security issues describe in VMSA-2018-0029.

There are at least four serius problems:

  • Remote code execution vulnerability – VDP contains a remote code execution vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary commands on the server.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-11066 to this issue.
  • Open redirection vulnerability – VDP contains an open redirection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-11067 to this issue.
  • Command injection vulnerability – The ‘getlogs’ troubleshooting utility in VDP contains an OS command injection vulnerability. A malicious admin user may potentially be able to execute arbitrary commands under root privilege.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-11076 to this issue.

Information exposure vulnerability – VDP contains an information exposure vulnerability. VDP Java management console’s SSL/TLS private key may be leaked in the VDP Java management client package. The private key could potentially be used by an unauthenticated attacker on the same data-link layer to initiate a MITM attack on management console users.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-11077 to this issue.

Also if there are some patches to fix this issues, it’s not a good sign that so many problem have been found and found a more mature and complete options could be the right approach.

PS: it’s funny that the current Foundation and VCP-DCV exams have still a lot of questions about this product, but of course, new version of those exams will just move it to the dustbin.

During this time just apply the patches and check if new issues are found.

vSphere Data Protection (VDP) 6.1.10

Downloads and Documentation:

https://my.vmware.com/group/vmware/details?productId=491&downloadGroup=VDP6110

https://www.vmware.com/support/pubs/vdr_pubs.html

vSphere Data Protection (VDP) 6.0.9

Downloads and Documentation:

https://my.vmware.com/group/vmware/details?productId=491&downloadGroup=VDP60_9

https://www.vmware.com/support/pubs/vdr_pubs.html

Andrea MauroAbout Andrea Mauro (2918 Posts)

Virtualization, Cloud and Storage Architect. Tech Field delegate. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert 2010-18. Dell TechCenter Rockstar 2014-15. Microsoft MVP 2014-16. Veeam Vanguard 2015-18. Nutanix NTC 2014-18. PernixPro 2014-16. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.


Share