|
Original release date: 2 November 2017
CVE ID
CVE-2017-10934
Affected Product
ZXIPTV-EPG
Affected Versions
All versions prior to V5.09.02.02T4
Description
All versions prior to V5.09.02.02T4 of the ZTE ZXIPTV-EPG product uses the Java RMI service in which the servers use the Apache Commons Collections (ACC) library that may result in Java deserialization vulnerabilities. An unauthenticated remote attacker can exploit the vulnerabilities by sending a crafted RMI request to execute arbitrary code on the target host.
Workaround
Ensure that all exposed ports used by the server, including the RMI registry port, are firewalled from any untrusted IP address.
Resolution
Users may upgrade or change to new versions after V5.09.02.02T4.
Credit
Thanks to Zhang Jinxin for reporting the security issues to ZTE PSIRT.
References
CVE-2017-10932 ( https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10932 )
Update Records
2 November 2017, initial.
ZTE PSIRT
If you need to feedback or report security vulnerabilities related to ZTE products, or get ZTE product security incident response service and vulnerability information, please contact ZTE PSIRT: psirt@zte.com.cn, PGP key ID: FF095577.
|