Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995 and possibly earlier versions contain a code injection vulnerability (CWE-94).
CWE-94: Improper Control of Generation of Code ('Code Injection')
Thomson Reuters Velocity Analytics Vhayu Analytic Server version 6.94 build 2995 and possibly earlier versions contain a code injection vulnerability. By default, this software package is configured to run with system privileges. A remote unauthenticated attacker can craft a URL that utilizes the software's file import function to upload malicious files or execute arbitrary code.
A remote unauthenticated attacker may be able to upload malicious files or execute arbitrary code with system privileges.
Thomson Reuters has released hotfix 6429: Security fix hot-fix for Velocity Analytics to address this vulnerability. Users affected by this vulnerability are advised to to download the fix from the from the Customer Zone.
Restrict access to the Analytic Server interface
Restrict access to the Thomson Reuters Velocity Analytics Vhayu Analytic Server interface to trusted networks. If possible, configure management and transit networks for separate VLANs, or restrict access to the device using IP access lists.
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Notified: October 16, 2013 Updated: January 23, 2014
We have not received a statement from the vendor.
For customers who have TREP-VA deployed on platforms which are in trusted networks and do not allow inbound connections from untrusted networks, the http interface would not be vulnerable.
Group | Score | Vector
Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal | 7.3 | E:U/RL:W/RC:UC
Environmental | 1.8 | CDP:N/TD:L/CR:ND/IR:ND/AR:ND
Thanks to Eduardo Gonzalez Lainez for reporting this vulnerability.
This document was written by Adam Rauf.
CVE IDs: | CVE-2013-5912
Date Public: | 2013-11-21
Date First Published: | 2013-11-22
Date Last Updated: | 2017-10-18 17:27 UTC
Document Revision: | 38