Main Vulnerability Database Vulnerabilities #VU37882

Command Injection in FusionSphere OpenStack - CVE-2017-8135

Published: November 22, 2017 / Updated: August 8, 2020

Vulnerability identifier: #VU37882

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2017-8135

CWE-ID: CWE-77

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vulnerable software:
FusionSphere OpenStack

Software vendor:
Huawei

Description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

The FusionSphere OpenStack with software V100R006C00 and V100R006C10 has a command injection vulnerability due to the insufficient input validation on four TCP listening ports. An unauthenticated attacker can exploit the vulnerabilities to gain root privileges by sending some messages with malicious commands.

Remediation

Install update from vendor's website.

External links

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20170531-01-openstack-en
http://www.securityfocus.com/bid/102262

Command Injection in FusionSphere OpenStack - CVE-2017-8135

Description

Remediation

External links

Please verify you're human