cohesity / secadvisory Goto Github PK

July 2, 2019 FN21

A man-in-the-middle vulnerability related to vCenter access was found in Cohesity DataPlatform version 5.x and 6.x prior to 6.1.1c. Cohesity clusters did not verify TLS certificates presented by vCenter.

This vulnerability could expose Cohesity user credentials configured to access vCenter. Exposure is limited to vCenter only environments that have strict TLS certificate requirements.

To remediate the vulnerability, Cohesity recommends upgrading to Cohesity DataPlatform 6.1.1e or above. Customers currently on release 6.1.1c or above are not vulnerable to this issue and can disregard this notice.

Software downloads are available here: http://downloads.cohesity.com If you have any questions, please reach out to Cohesity Support.

email: [email protected]

Missing SSL Certificate Validation

Cohesity, Inc

Cohesity DataPlatform - Affected versions are Cohesity DataPlatform versions 5.x, 6.x prior to 6.1.1c. This is remediated in versions 6.1.1c and 6.2.

vCenter communications.

Remote

True

To exploit the vulnerability, someone must be able to present the Cohesity cluster with a forged vCenter TLS certificate.

True

Cohesity acknowledges the efforts of Karlsruhe Institute of Technology researcher Thorsten Tuellmann who identified the vulnerability and participated in its responsible disclosure.