-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ESA-2017-099: EMC AppSync SQL Injection Vulnerability EMC Identifier: ESA-2017-099 CVE Identifier: CVE-2017-8015 Severity Rating: CVSS v3 Base Score: 8.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L) Affected products: EMC AppSync all versions prior to 3.5 Summary: EMC AppSync contains a SQL injection vulnerability that could potentially be exploited by malicious users to compromise the affected system. Details: EMC AppSync is affected by a SQL injection vulnerability. Attackers could potentially exploit this vulnerability to access information, modify data or disrupt certain services by causing execution of arbitrary SQL commands on the application using default Apollo framework user accounts "apollo" and "test". Resolution: The following EMC AppSync release contains resolution to this vulnerability: * EMC AppSync version 3.5 and later (security patch "AppSync Security Update for SQL Injection Vulnerability" is required on top of version 3.5) As part of mitigation, default Apollo framework user accounts "apollo" and "test" have been also removed as they are not used by AppSync application. EMC recommends all customers upgrade at the earliest opportunity. Link to remedies: Customers can download AppSync 3.5 software from https://support.emc.com/downloads/25364_AppSync Customers can download the security patch "AppSync Security Update for SQL Injection Vulnerability" from https://download.emc.com/downloads/DL86269 Credit: EMC would like to thank rgod working with Trend Micro's Zero Day Initiative for reporting this vulnerability. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJZr//7AAoJEHbcu+fsE81ZIx8IAINfysHyM6BKb8SHjOJHKj/5 xgQ4DMSTE3CCK91Uo4J47G19C3eas5nfMjiHz4/0+laqSqLePOkckK63zMteH7WE 2WNOJXQwRoJtDV0xPt6WlJgkCgvk4o5u+KdYJUG98YJWZBAlU1zuTQ3HgJf3UgKW 2WTvprKLY+jl6QuMu3K5Sr4OlU+Vy0X+uspqaOZ1L+ITf9oHWrPvQnMqjXoniOcO wtjKOCCxUciXVIowPcX7S8DH9ikZO0mCj2s88HjGu5gI6fEx1VOCne8tssbbKvoB pvGFtNSbeJ/EcoAyA9SORH9urzS9kxd6891+QiJzgIkqfP1LBJ36XywtRA73sN0= =E38G -----END PGP SIGNATURE-----