CVE-2017-4947 - OpenCVE

VMware vRealize Automation (7.3 and 7.2) and vSphere Integrated Containers (1.x before 1.3) contain a deserialization vulnerability via Xenon. Successful exploitation of this issue may allow remote attackers to execute arbitrary code on the appliance.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

Vendors & Products
CPE Configurations

Vendors	Products
Vmware	Vsphere Integrated Containers Vrealize Automation

Configuration 1 [-]

OR	cpe:2.3:a:vmware:vrealize_automation:7.2.0:::::::*
	cpe:2.3:a:vmware:vrealize_automation:7.3.0:::::::*

Configuration 2 [-]

cpe:2.3:a:vmware:vsphere_integrated_containers:*:*:*:*:*:*:*:*

References

Link	Resource
http://www.securityfocus.com/bid/102852	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1040289	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1040290	Third Party Advisory VDB Entry
https://www.vmware.com/security/advisories/VMSA-2018-0006.html	Patch Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: vmware

Published: 2018-01-26T00:00:00

Updated: 2023-06-27T14:20:58.305Z

Reserved: 2016-12-26T00:00:00

Link: CVE-2017-4947

JSON object: View

NVD Information

Status : Modified

Published: 2018-01-29T16:29:00.730

Modified: 2023-06-27T15:15:09.240

Link: CVE-2017-4947

JSON object: View

Redhat Information

No data.

CWE

CWE-502

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "vRealize Automation", "vendor": "VMware", "versions": [{"status": "affected", "version": "7.3 and 7.2"}]}, {"defaultStatus": "unaffected", "product": "vSphere Integrated Containers", "vendor": "VMware", "versions": [{"status": "affected", "version": "1.x before 1.3"}]}], "datePublic": "2018-01-26T00:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>VMware vRealize Automation (7.3 and 7.2) and vSphere Integrated Containers (1.x before 1.3) contain a deserialization vulnerability via Xenon. Successful exploitation of this issue may allow remote attackers to execute arbitrary code on the appliance.</p>"}], "value": "VMware vRealize Automation (7.3 and 7.2) and vSphere Integrated Containers (1.x before 1.3) contain a deserialization vulnerability via Xenon. Successful exploitation of this issue may allow remote attackers to execute arbitrary code on the appliance.\n\n"}], "problemTypes": [{"descriptions": [{"description": "Deserialization vulnerability via Xenon", "lang": "en"}]}], "providerMetadata": {"orgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "shortName": "vmware", "dateUpdated": "2023-06-27T14:20:58.305Z"}, "references": [{"name": "102852", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/102852"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.vmware.com/security/advisories/VMSA-2018-0006.html"}, {"name": "1040289", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1040289"}, {"name": "1040290", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id/1040290"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security@vmware.com", "DATE_PUBLIC": "2018-01-26T00:00:00", "ID": "CVE-2017-4947", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "vRealize Automation", "version": {"version_data": [{"version_value": "7.3 and 7.2"}]}}, {"product_name": "vSphere Integrated Containers", "version": {"version_data": [{"version_value": "1.x before 1.3"}]}}]}, "vendor_name": "VMware"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "VMware Realize Automation (7.3 and 7.2) and vSphere Integrated Containers (1.x before 1.3) contain a deserialization vulnerability via Xenon. Successful exploitation of this issue may allow remote attackers to execute arbitrary code on the appliance."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Deserialization vulnerability via Xenon"}]}]}, "references": {"reference_data": [{"name": "102852", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102852"}, {"name": "https://www.vmware.com/security/advisories/VMSA-2018-0006.html", "refsource": "CONFIRM", "url": "https://www.vmware.com/security/advisories/VMSA-2018-0006.html"}, {"name": "1040289", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1040289"}, {"name": "1040290", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id/1040290"}]}}}}, "cveMetadata": {"assignerOrgId": "dcf2e128-44bd-42ed-91e8-88f912c1401d", "assignerShortName": "vmware", "cveId": "CVE-2017-4947", "datePublished": "2018-01-26T00:00:00", "dateReserved": "2016-12-26T00:00:00", "dateUpdated": "2023-06-27T14:20:58.305Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:vrealize_automation:7.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "C4DF73CC-89C0-4C85-8F17-C34E435504B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:vmware:vrealize_automation:7.3.0:*:*:*:*:*:*:*", "matchCriteriaId": "DAF6B998-574C-4CB7-A142-CE4E8F82E5E9", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vmware:vsphere_integrated_containers:*:*:*:*:*:*:*:*", "matchCriteriaId": "3950B3DF-A706-491B-AE01-7A1F81999177", "versionEndExcluding": "1.3.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "VMware vRealize Automation (7.3 and 7.2) and vSphere Integrated Containers (1.x before 1.3) contain a deserialization vulnerability via Xenon. Successful exploitation of this issue may allow remote attackers to execute arbitrary code on the appliance.\n\n"}, {"lang": "es", "value": "VMware Realize Automation (7.3 y 7.2) y vSphere Integrated Containers (1.x anteriores a 1.3) contienen una vulnerabilidad de deserializaci\u00f3n mediante Xenon. La explotaci\u00f3n con \u00e9xito de este problema podr\u00eda permitir que atacantes remotos ejecuten c\u00f3digo arbitrario en la aplicaci\u00f3n."}], "id": "CVE-2017-4947", "lastModified": "2023-06-27T15:15:09.240", "metrics": {"cvssMetricV2": [{"acInsufInfo": true, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-01-29T16:29:00.730", "references": [{"source": "security@vmware.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102852"}, {"source": "security@vmware.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1040289"}, {"source": "security@vmware.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securitytracker.com/id/1040290"}, {"source": "security@vmware.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.vmware.com/security/advisories/VMSA-2018-0006.html"}], "sourceIdentifier": "security@vmware.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "nvd@nist.gov", "type": "Primary"}]}