This post is also available in: Inglese

Reading Time: 3 minutes

Come probabilmente ricorderete, VMware vSphere Data Protection (VDP) è la soluzione di backup di VMware inclusa in tutte le edizioni di vSphere a partire dalla Essential Plus in su e introdotta per la prima volta in vSphere 5.1.

Però VMware ne ha decretato la End of Availability (EOA) e  VMware vSphere 6.5 è stata l’ultima versione di vSphere ad includere questo prodotto.

VMware preferisce focalizzarsi meglio sulla parte di vSphere Storage APIs – Data Protection framework, magari con un’attenzione maggiore alla qualità dello stesso.

Ma qualche utente lo utilizza ancora ed ora è il momento giusto di pensare ad una soluzione alternativa, anche perché sono state scoperte diverse vulnerabilità critiche descritte da VMSA-2018-0029.

Al momento sono quattro problemi distinti:

  • Remote code execution vulnerability – VDP contains a remote code execution vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary commands on the server.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-11066 to this issue.
  • Open redirection vulnerability – VDP contains an open redirection vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to redirect application users to arbitrary web URLs by tricking the victim users to click on maliciously crafted links. The vulnerability could be used to conduct phishing attacks that cause users to unknowingly visit malicious sites.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-11067 to this issue.
  • Command injection vulnerability – The ‘getlogs’ troubleshooting utility in VDP contains an OS command injection vulnerability. A malicious admin user may potentially be able to execute arbitrary commands under root privilege.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-11076 to this issue.
  • Information exposure vulnerability – VDP contains an information exposure vulnerability. VDP Java management console’s SSL/TLS private key may be leaked in the VDP Java management client package. The private key could potentially be used by an unauthenticated attacker on the same data-link layer to initiate a MITM attack on management console users.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2018-11077 to this issue.

Anche se ci sono le patch da applicare, è sintomo che il prodotto mostra i segni del tempo e in futuro potrebbe non avere più aggiornamenti.

Vedere anche: Falle di sicurezza in VMware vSphere Data Protection

vSphere Data Protection (VDP) 6.1.10

Downloads and Documentation:

https://my.vmware.com/group/vmware/details?productId=491&downloadGroup=VDP6110

https://www.vmware.com/support/pubs/vdr_pubs.html

vSphere Data Protection (VDP) 6.0.9

Downloads and Documentation:

https://my.vmware.com/group/vmware/details?productId=491&downloadGroup=VDP60_9

https://www.vmware.com/support/pubs/vdr_pubs.html

Share

Virtualization, Cloud and Storage Architect. Tech Field delegate. VMUG IT Co-Founder and board member. VMware VMTN Moderator and vExpert 2010-24. Dell TechCenter Rockstar 2014-15. Microsoft MVP 2014-16. Veeam Vanguard 2015-23. Nutanix NTC 2014-20. Several certifications including: VCDX-DCV, VCP-DCV/DT/Cloud, VCAP-DCA/DCD/CIA/CID/DTA/DTD, MCSA, MCSE, MCITP, CCA, NPP.