VMware vSphere Data Protection product update addresses a certificate validation vulnerability.

a. VMware vSphere Data Protection certificate validation vulnerability

VMware vSphere Data Protection (VDP) does not fully validate SSL certificates coming from vCenter Server. This issue may allow a Man-in-the-Middle attack that enables the attacker to perform unauthorized backup and restore operations.

VMware would like to thank Thorsten Tüllmann of the Steinbuch Centre for Computing, KIT, Germany for reporting this issue to VMware and the EMC Product Security Response Center for working with us on the issue.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the identifier CVE-2014-4632 to this issue.

Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available.