EMC AppSync contains a SQL injection vulnerability that could potentially be exploited by malicious users to compromise the affected system. All versions prior to 3.5 are affected.
84f1c0f58d34e8d308a382ba554482dd-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
ESA-2017-099: EMC AppSync SQL Injection Vulnerability
EMC Identifier: ESA-2017-099
CVE Identifier: CVE-2017-8015
Severity Rating: CVSS v3 Base Score: 8.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L)
Affected products:
EMC AppSync all versions prior to 3.5
Summary:
EMC AppSync contains a SQL injection vulnerability that could potentially be exploited by malicious users to compromise the affected system.
Details:
EMC AppSync is affected by a SQL injection vulnerability. Attackers could potentially exploit this vulnerability to access information, modify data or disrupt certain services by causing execution of arbitrary SQL commands on the application using default Apollo framework user accounts "apollo" and "test".
Resolution:
The following EMC AppSync release contains resolution to this vulnerability:
* EMC AppSync version 3.5 and later (security patch "AppSync Security Update for SQL Injection Vulnerability" is required on top of version 3.5)
As part of mitigation, default Apollo framework user accounts "apollo" and "test" have been also removed as they are not used by AppSync application.
EMC recommends all customers upgrade at the earliest opportunity.
Link to remedies:
Customers can download AppSync 3.5 software from https://support.emc.com/downloads/25364_AppSync
Customers can download the security patch "AppSync Security Update for SQL Injection Vulnerability" from https://download.emc.com/downloads/DL86269
Credit:
EMC would like to thank rgod working with Trend Micro's Zero Day Initiative for reporting this vulnerability.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJZr//7AAoJEHbcu+fsE81ZIx8IAINfysHyM6BKb8SHjOJHKj/5
xgQ4DMSTE3CCK91Uo4J47G19C3eas5nfMjiHz4/0+laqSqLePOkckK63zMteH7WE
2WNOJXQwRoJtDV0xPt6WlJgkCgvk4o5u+KdYJUG98YJWZBAlU1zuTQ3HgJf3UgKW
2WTvprKLY+jl6QuMu3K5Sr4OlU+Vy0X+uspqaOZ1L+ITf9oHWrPvQnMqjXoniOcO
wtjKOCCxUciXVIowPcX7S8DH9ikZO0mCj2s88HjGu5gI6fEx1VOCne8tssbbKvoB
pvGFtNSbeJ/EcoAyA9SORH9urzS9kxd6891+QiJzgIkqfP1LBJ36XywtRA73sN0=
=E38G
-----END PGP SIGNATURE-----