Article Number: 000153594
Critical
Summary:
The Appliance Configuration Manager (ACM) virtual machine within Dell EMC Integrated Data Protection Appliance requires a security update to address a vulnerability.
The component is updated for the following vulnerability:
CVE-2020-1938
9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
For more information about any of the Common Vulnerabilities and Exposures (CVEs) mentioned here, consult the National Vulnerability Database (NVD) at http://nvd.nist.gov/home.cfm.
To search for a particular CVE, use the database s search utility at http://web.nvd.nist.gov/view/vuln/search.
The component is updated for the following vulnerability:
CVE-2020-1938
9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
For more information about any of the Common Vulnerabilities and Exposures (CVEs) mentioned here, consult the National Vulnerability Database (NVD) at http://nvd.nist.gov/home.cfm.
To search for a particular CVE, use the database s search utility at http://web.nvd.nist.gov/view/vuln/search.
Affected products:
Dell EMC Integrated Data Protection Appliance 2.0
Dell EMC Integrated Data Protection Appliance 2.1
Dell EMC Integrated Data Protection Appliance 2.2
Dell EMC Integrated Data Protection Appliance 2.3
Dell EMC Integrated Data Protection Appliance 2.4
Dell EMC Integrated Data Protection Appliance 2.5
Remediation:
Follow the steps below to mitigate the vulnerability from the Appliance Configuration Manager (ACM) virtual machine in the Integrated Data Protection Appliance.
Log in to Appliance Configuration Manager (ACM) virtual machine using an SSH client such as PuTTY as root user and execute the following:
Stop ACM webapp:
service dataprotection_webapp stop
Edit the file /usr/local/dataprotection/tomcat/conf/server.xml using vi editor
vi /usr/local/dataprotection/tomcat/conf/server.xml
Remove following line of AJP connector for 8009 port mentioned below:
(Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /)
Save the file and exit editor.
Start ACM webapp:
service dataprotection_webapp start
Note: A hotfix will be made available for Dell EMC Integrated Data Protection Appliance version 2.5 and is targeted for Q32020.
Affected products:
Dell EMC Integrated Data Protection Appliance 2.0
Dell EMC Integrated Data Protection Appliance 2.1
Dell EMC Integrated Data Protection Appliance 2.2
Dell EMC Integrated Data Protection Appliance 2.3
Dell EMC Integrated Data Protection Appliance 2.4
Dell EMC Integrated Data Protection Appliance 2.5
Remediation:
Follow the steps below to mitigate the vulnerability from the Appliance Configuration Manager (ACM) virtual machine in the Integrated Data Protection Appliance.
Log in to Appliance Configuration Manager (ACM) virtual machine using an SSH client such as PuTTY as root user and execute the following:
Stop ACM webapp:
service dataprotection_webapp stop
Edit the file /usr/local/dataprotection/tomcat/conf/server.xml using vi editor
vi /usr/local/dataprotection/tomcat/conf/server.xml
Remove following line of AJP connector for 8009 port mentioned below:
(Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /)
Save the file and exit editor.
Start ACM webapp:
service dataprotection_webapp start
Note: A hotfix will be made available for Dell EMC Integrated Data Protection Appliance version 2.5 and is targeted for Q32020.
Integrated Data Protection Appliance Family
22 May 2021
4
Dell Security Advisory