VCE3570: VCE Vision(TM) Intelligent Operations Cryptographic and- Cleartext Vulnerabilities

From: VCE - PSIRT <>
To: '' <''>,'' <''>
Cc: VCE - PSIRT <>
Subject: VCE3570: VCE Vision(TM) Intelligent Operations Cryptographic and- Cleartext Vulnerabilities


Hash: SHA1

VCE3570: VCE Vision(TM) Intelligent Operations Cryptographic and Cleartext Vulnerabilities

CVE Identifier:  CVE-2015-4056, CVE-2015-4057

Severity Rating: CVSSv2 Base Score: See below for individual scores for each CVE

Affected products:  
        VCE Vision Intelligent Operations prior to 2.6.5

        VCE Vision(TM) software versions prior to 2.6.5 have been identified to contain security vulnerabilities that may potentially be leveraged by a malicious user to obtain sensitive information

    Weak Cryptographic Scheme (CVE-2015-4056) 
    Weak cryptographic scheme in the VCE Vision(TM) System Library that can result in access to sensitive information by an authenticated administrative user
     Exploitation requires that an attacker login as root to a VCE Vision System Library virtual machine where the potential exists for sensitive system credential information in several VCE Vision application configuration files to be accessed in an unauthorized manner.

  CVSS v2 Base Score: 6.6 (AV:L/AC:M/Au:N/C:C/I:C/A:P)

      Cleartext Transmission (CVE-2015-4057)
        Cleartext transmission issue in the VCE Vision(TM) Plug-in for VMware vCenter for VCE Vision software that could be exploited by attackers to obtain password information
     The VCE Vision admin user password is reflected in cleartext when the user loads the Settings screen of the VCE Vision Plug-in for VMware vCenter via a web browser.

        CVSS v2 Base Score: 5.4 (AV:A/AC:M/Au:N/C:P/I:P/A:P)

  These vulnerabilities are fixed in VCE Vision software 2.6.5 and above. Customers should upgrade to VCE Vision software 2.6.5 at their earliest opportunity.

Link to remedies:
     VCE Vision software version 2.6.5 can be located within the VCE(TM) Download Center by logging into > VCE Download Center > VCE Software and VCE Software Documentation for VCE Converged Infrastructure Systems>Respective Vblock VCE Software Addendum
        You can find the VCE Vision software version 2.6.5 upgrade guide in the VCE Download Center by logging into > VCE Download Center > respective Vblock System model >VBXXX VCE Software Documentation>VCE Vision Intelligent Operations Documentation for Vblock System XXX
 If you have any questions, contact VCE(TM) Support.

Read and use the information in this VCE Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact VCE Technical Support.
VCE recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

VCE Company, LLC distributes VCE Security Advisories, in order to bring to the attention of users of the affected VCE products, important security information. VCE recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. VCE disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall VCE or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if VCE or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

VCE Product Security Incident Response Team
vcepsirt () vce com
Version: GnuPG v1


Copyright © 1995-2019 All rights reserved.