Carlos Perez

**Name of the Vulnerable Software and Affected Versions** Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18 Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21 Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514 Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 **Description** An arbitrary file upload issue was discovered, allowing a remote authenticated malicious user to upload arbitrary maliciously crafted files in any location on the web server. This could potentially be exploited by chaining with another issue, allowing an attacker to use a default account. **Recommendations** For Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18, update to version 8.4.0.18 or later. For Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21, update to version 8.4.0.21 or later. For Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514, update to version 8.4.0.514 or later. For Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4, update to a version later than 1.4.

**Name of the Vulnerable Software and Affected Versions** Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18 Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21 Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514 Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4 **Description** The issue is related to the use of hardcoded credentials in the vApp Manager component of Dell EMC Unisphere for VMAX, Dell EMC Solutions Enabler, Dell EMC VASA Virtual Appliances, and Dell EMC VMAX Embedded Management (eManagement). This allows a remote attacker to gain unauthorized access to the system using certain web servlets and the knowledge of the hardcoded password. The undocumented default account `smc` with a hardcoded password is the key factor in this issue. **Recommendations** For Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 8.4.0.18, update to version 8.4.0.18 or later. For Dell EMC Solutions Enabler Virtual Appliance versions prior to 8.4.0.21, update to version 8.4.0.21 or later. For Dell EMC VASA Virtual Appliance versions prior to 8.4.0.514, update to version 8.4.0.514 or later. For Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4, update to a version later than 1.4. As a temporary workaround, consider restricting access to the vulnerable web servlets until a patch is available.

**Name of the Vulnerable Software and Affected Versions** HP StorageWorks P2000 G3 MSA array systems (affected versions not specified) **Description** The issue allows remote attackers to read arbitrary files via a pathname in the URI, due to an absolute path traversal vulnerability in the web interface. This vulnerability can be exploited to access sensitive information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.