| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Jan 2018 14:19:42 +0000 From: EMC Product Security Response Center <Security_Alert@....com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] ESA-2018-001: EMC Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance Multiple Security Vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 ESA-2018-001: EMC Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance Multiple Security Vulnerabilities EMC Identifier: ESA-2018-001 CVE Identifier: CVE-2017-15548, CVE-2017-15549, CVE-2017-15550 Severity Rating: See below for each CVE. Affected products: EMC Avamar Server 7.1.x, 7.2.x, 7.3.x, 7.4.x, 7.5.0 EMC NetWorker Virtual Edition (NVE) 9.0.x, 9.1.x, 9.2.x EMC Integrated Data Protection Appliance 2.0 Summary: EMC Avamar Server, NetWorker Virtual Edition and Integrated Data Protection Appliance contain a common component, Avamar(r) Installation Manager (AVI), that is vulnerable to multiple security vulnerabilities that could be exploited by malicious users to compromise the affected systems. Details: Authentication bypass vulnerability (CVE-2017-15548) A remote unauthenticated malicious user can potentially bypass application authentication and gain unauthorized root access to the affected systems. CVSSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Arbitrary file upload vulnerability (CVE-2017-15549) A remote authenticated malicious user with low privileges could potentially upload arbitrary maliciously crafted files in any location on the server file system. CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Path traversal vulnerability (CVE-2017-15550) A remote authenticated malicious user with low privileges could access arbitrary files on the server file system in the context of the running vulnerable application. CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Resolution: EMC recommends all customers install the patches below for their respective product versions at the earliest opportunity: EMC Avamar Server version 7.1.2 - HOTFIX 290550 EMC Avamar Server version 7.2.1 - HOTFIX 290025 EMC Avamar Server version 7.3.1 - HOTFIX 290316 EMC Avamar Server version 7.4.1 - HOTFIX 289959 EMC Avamar Server version 7.5.0 - HOTFIX 289958 EMC NetWorker Virtual Edition version 9.0.x, 9.1.x, 9.2.x - HOTFIX 290317 EMC Integrated Data Protection Appliance version 2.x - HOTFIX 581676 Workaround: Disable Avamar Installation Manager (AVI). Link To Remedies: Registered EMC Online Support customers can download the hotfix from the links below: EMC Avamar: EMC Avamar Server version 7.1.2 - HOTFIX 290550 EMC Avamar Server version 7.2.1 - HOTFIX 290025 EMC Avamar Server version 7.3.1 - HOTFIX 290316 EMC Avamar Server version 7.4.1 - HOTFIX 289959 EMC Avamar Server version 7.5.0 - HOTFIX 289958 For Avamar hotfix installation instructions, refer to KB article 513978: How to install Avamar hotfix using installation manager EMC NetWorker: EMC NetWorker Virtual Edition 9.0.x, 9.1.x, 9.2.x - HOTFIX 290317 See the corresponding NetWorker version Cumulative hotfixes document available at https://support.emc.com/downloads/1095_NetWorker for download details. For hotfix installation instructions, refer to KB article 514377: NetWorker Virtual Edition (NVE): How to install a hotfix EMC Integrated Data Protection Appliance: Customers should contact Integrated Data Protection Appliance to receive the hotfix 581676 Credit: EMC would like to thank Michael Cramer, Vulnerability Research Team, Digital Defense Inc for reporting these issues. [The following is standard text included in all security advisories. Please do not change or delete.] Read and use the information in this EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact EMC Software Technical Support at 1-877-534-2867. For an explanation of Severity Ratings, refer to EMC Knowledgebase solution emc218831. EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJaTjZ4AAoJEHbcu+fsE81ZlYAH/2EoFh9d93K3oy54sgLisDuR sNUPrUNxXSRsnFVUubZ/AF7eJcNAEUwIdcoameMK61iwMx1B8C4hEKFBdHf/mYEn cy9dBqlr/7dbsEyH3PP4EoK9CT3nPkq4QnlQW6NyRGyX8SEpX9x7WtL7YQDmKtVw xh1tj4ayqfzd7RimE2yDRZl7qqFd3FeC3G5q2HrD2Inoc5w44m01KQs33/0wUiQM EwHk0+zEVGpR6ed8a9bvQ+ciw1lX2fW0Q2Pw6MUoMowDa5JUaGSuxe2BpwsI9RT+ euuvgHPCGti6n7nQTuqntYSLhsED8egjPC8xji/tbd+SW6F2UB3Esaiavxbagpo= =XXmy -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists