VMware Security Advisory
Advisory ID: VMSA-2016-0024
Synopsis: vSphere Data Protection (VDP) updates address SSH Key-Based
Issue date: 2016-12-20
Updated on: 2016-12-20 (Initial Advisory)
CVE number: CVE-2016-7456
vSphere Data Protection (VDP) updates address SSH key-based
- Relevant Products
vSphere Data Protection (VDP)
- Problem Description
- VDP SSH key-based authentication issue
VDP contains a private SSH key with a known password that is configured
to allow key-based authentication. Exploitation of this issue may allow
an unauthorized remote attacker to log into the appliance with root
VMware would like to thank Marc Ströbel aka phroxvs from HvS-Consulting
for reporting this issue to VMware.
The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2016-7456 to this issue.
Column 5 of the following table lists the action required to remediate
the vulnerability in each release, if a solution is available.
VMware Product Running Replace with/ Mitigation/
Product Version on Severity Apply Patch Workaround
========== ========= ======= ======== ================ ==========
VDP 6.1.x VA Critical KB2147069 None
VDP 6.0.x VA Critical KB2147069 None
VDP 5.8.x VA Critical KB2147069 None
VDP 5.5.x VA Critical KB2147069 None
Please review the patch/release notes for your product and version and
verify the checksum of your downloaded file.
vSphere Data Protection
Downloads and Documentation:
- Change log
Initial security advisory in conjunction with the release of vSphere
Data Protection updates on 2016-12-20.
Created on December 20, 2016 by Rick Scherer
Posted under Alert.
This blog has 1,748 views.