Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.9.4 build 2995 contains a code injection vulnerability

2013-11-22T00:00:00
ID VU:893462
Type cert
Reporter CERT
Modified 2017-10-18T17:27:00

Description

Overview

Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995 and possibly earlier versions contain a code injection vulnerability (CWE-94).

Description

CWE-94: Improper Control of Generation of Code ('Code Injection')

Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995 and possibly earlier versions contain a code injection vulnerability. By default, this software package is configured to run with system privileges. A remote unauthenticated attacker can craft a URL that utilizes the software's file import function to upload malicious files or execute arbitrary code.

For example:
[http://www.example.com/VhttpdMgr?action=importFile&fileName=](<http://www.example.com/VhttpdMgr?action=importFile&fileName=>)``{BACKDOOR}


Impact

A remote unauthenticated attacker may be able to upload malicious files or execute arbitrary code with system privileges.


Solution

Update

Thomson Reuters has released hotfix 6429: Security fix hot-fix for Velocity Analytics to address this vulnerability. Users affected by this vulnerability are advised to to download the fix from the from the Customer Zone.


Restrict access to the Analytic Server interface

Restrict access to the Thomson Reuters Velocity Analytics Vhayu Analytic Server interface to trusted networks. If possible, configure management and transit networks for separate VLANs, or restrict access to the device using IP access lists.


Vendor Information

893462

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Thomson Reuters __ Affected

Notified: October 16, 2013 Updated: January 23, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

For customers who have TREP-VA deployed on platforms which are in trusted networks and do not allow inbound connections from untrusted networks, the http interface would not be vulnerable.

Vendor References

  • <https://customers.reuters.com/a/support/technical/softwaredownload/download.aspx?productVersionReleaseId=20287>
  • <https://customers.reuters.com/a/support/paz/Default.aspx?pId=9117>

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal | 7.3 | E:U/RL:W/RC:UC
Environmental | 1.8 | CDP:N/TD:L/CR:ND/IR:ND/AR:ND

References

  • <http://cwe.mitre.org/data/definitions/94.html>
  • <http://thomsonreuters.com/enterprise-platform-velocity-analytics/>
  • <https://customers.reuters.com/a/support/technical/softwaredownload/download.aspx?productVersionReleaseId=20287>

Acknowledgements

Thanks to Eduardo Gonzalez Lainez for reporting this vulnerability.

This document was written by Adam Rauf.

Other Information

CVE IDs: | CVE-2013-5912
---|---
Date Public: | 2013-11-21
Date First Published: | 2013-11-22
Date Last Updated: | 2017-10-18 17:27 UTC
Document Revision: | 38