Dell EMC issued an advisories and updates for a pair of vulnerabilities found in the company's Dell EMC VMAX Virtual Appliance (vApp) Manager.
The issues, which were posted to Seclists.org on February 14, are recorded as CVE-2018-1215 and CVE-2018-1216 and when used together can allow an attacker to compromise a system. The vApp manager is embedded in Dell EMC Unisphere for VMAX Virtual Appliance versions prior to 18.104.22.168, Dell EMC Solutions Enabler Virtual Appliance versions prior to 22.214.171.124, Dell EMC VASA Virtual Appliance versions prior to 126.96.36.1994 and Dell EMC VMAX Embedded Management (eManagement) versions prior to and including 1.4.
CVE-2018-1215 is an arbitrary file upload vulnerability that if exploited would allow a threat actor to upload malicious crafted files.
CVE-2018-1216 is a hard-coded password problem that contains an undocumented default account contains a hard-coded password that a remote attacker who knows this password and the proper message format may use vulnerable servlets to gain access to a system.
Dell has issued updates that fix the vulnerabilities and the company is encouraging anyone running this software to immediately apply the patch.