DSA-2021-204: Dell EMC Avamar, Dell EMC NetWorker Virtual Edition (NVE), and Dell EMC PowerProtect DP Series Appliance or Dell EMC Integrated Data Protection Appliance (IDPA) Security Update for Multiple Vulnerabilities

摘要: Dell EMC Avamar, Dell EMC NetWorker Virtual Edition (NVE), and Dell EMC PowerProtect DP Series Appliance or Dell EMC Integrated Data Protection Appliance (IDPA) remediation is available for multiple vulnerabilities that may be exploited by malicious users to compromise the affected system. ...

本文适用于 本文不适用于 本文并非针对某种特定的产品。 本文并非包含所有产品版本。
查看其他资源

影响

Critical

详情

Proprietary Code CVEs Description CVSSBase Score CVSS Vector String
CVE-2021-36316 Dell EMC Avamar Server versions 18.2, 19.1, 19.2, 19.3, and 19.4 contain an improper privilege management vulnerability in AUI. A malicious user with high privileges may potentially exploit this vulnerability, leading to the disclosure of the AUI information and performing some unauthorized operation on the AUI. 6.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
CVE-2021-36317 Dell EMC Avamar Server version 19.4 contains a plain-text password storage vulnerability in AvInstaller. A local attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-36318
 		 Dell EMC Avamar versions 18.2,19.1,19.2,19.3, and 19.4 contain a plain-text password storage vulnerability. A high privileged user may potentially exploit this vulnerability, leading to a complete outage. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
 
Third-party Component CVEs More Information
Multiple Third-Party Components See Release Notes https://dl.dell.com/content/docu106677_avamar-platform-os-security-patch-rollup-2021r2-release-notes.pdf?language=en_us
Proprietary Code CVEs Description CVSSBase Score CVSS Vector String
CVE-2021-36316 Dell EMC Avamar Server versions 18.2, 19.1, 19.2, 19.3, and 19.4 contain an improper privilege management vulnerability in AUI. A malicious user with high privileges may potentially exploit this vulnerability, leading to the disclosure of the AUI information and performing some unauthorized operation on the AUI. 6.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
CVE-2021-36317 Dell EMC Avamar Server version 19.4 contains a plain-text password storage vulnerability in AvInstaller. A local attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-36318
 		 Dell EMC Avamar versions 18.2,19.1,19.2,19.3, and 19.4 contain a plain-text password storage vulnerability. A high privileged user may potentially exploit this vulnerability, leading to a complete outage. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
 
Third-party Component CVEs More Information
Multiple Third-Party Components See Release Notes https://dl.dell.com/content/docu106677_avamar-platform-os-security-patch-rollup-2021r2-release-notes.pdf?language=en_us
Dell Technologies 建议所有客户考虑 CVSS 基本分数以及任何相关的时间和环境分数,这可能会影响与特定安全漏洞相关的潜在严重程度。

受影响的产品和补救措施

CVEs Addressed  Product Affected Versions Updated Versions Link to Update
CVE-2021-36316 Dell EMC Avamar Server 18.2 18.2.x 329036
 
19.1 19.1.x
 		 329037
19.2 19.2.x
 		 329038
19.3 19.3.x
 		 331250
19.4 19.4.x
 		 332282
Dell EMC PowerProtectData Protection Appliance (IDPA) 2.3 2.3.x 329036
2.4.x 2.4.x
2.5 2.5.x 329037
2.6.x 2.6.x 331250
2.7 2.7.x 332282
CVE-2021-36317 Dell EMC Avamar Server 19.4 19.4.x 332282
Dell EMC PowerProtect Data Protection Appliance (IDPA) 2.7 2.7.x
CVE-2021-36318 Dell EMC Avamar Server 18.2 18.2.x 332796
19.1 19.1.x 332795
19.2 19.2.x 332793
19.3 19.3.x 332792
19.4 19.4.x 333252
Dell EMC PowerProtect Data Protection Appliance (IDPA) 2.3 2.3.x 332796
2.4.x 2.4.x
2.5 2.5.x 332795
2.6.x 2.6.x 332792
2.7 2.7.x 333252
Multiple Third-Party Components
See Release Notes		 Dell EMC Avamar Server Hardware Appliance Gen4S or Gen4T Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4 Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4 AvPlatformOsRollup_2021-R2-v2.avp        
Version 19.2 running SUSE Linux Enterprise 12 SP4 Version 19.2.x running SUSE Linux Enterprise 12 SP4
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
Dell EMC Avamar Virtual Edition Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments) Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments) AvPlatformOsRollup_2021-R2-v2.avp               
Version 19.2 running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments) Version 19.2.x running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments) Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments)
Dell EMC Avamar NDMP Accelerator Version 18.2, 19.1, 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 11 SP4 Version 18.2.x, 19.1.x, 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 11 SP4
Version 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 12 SP4 Version 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 12 SP4
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
Dell EMC Avamar VMware Image Proxy Version 18.2 and 19.1 running SUSE Linux Enterprise 12 SP1 Version 18.2.x and 19.1.x running SUSE Linux Enterprise 12 SP1 Avamar Proxy Bundle 2021-R2-v2
 
Version 19.2 and 19.3 running SUSE Linux Enterprise 12 SP4 Version 19.2.x and 19.3.x running SUSE Linux Enterprise 12 SP4
Version 19.4 running SUSE Linux SUSE Linux Enterprise 12 SP5 Version 19.4.x running SUSE Linux SUSE Linux Enterprise 12 SP5
Dell EMC NetWorker Virtual Edition (NVE) Version 19.1, 19.2, and 19.3 running SUSE Linux Enterprise 11 SP4 Version 19.1.x, 19.2.x, and 19.3.x running SUSE Linux Enterprise 11 SP4 NvePlatformOsRollup_2021-R2-v2.avp
 
Version 19.4 and 19.5 running SUSE Linux Enterprise 12 SP5 Version 19.4.x and 19.5.x running SUSE Linux Enterprise 12 SP5
Dell EMC PowerProtect DP Series Appliance / Dell EMC Integrated Data Protection Appliance (IDPA) 2.3 2.3.x AvPlatformOsRollup_2021-R2-v2.avp 
2.4.x 2.4.x
2.5 2.5.x
2.6.x 2.6.x
2.7 2.7.x
 
Note:
The updated version is the version listed in the Updated Versions column applied with the OS rollup 2021-R2 or the latest OS rollup.

For CVE-2021-36316, CVE-2021-36317, and CVE-2021-36318, see KB article 69982: How to install an Avamar .avp hotfix using Avamar Installer (AVI) for instructions on applying the hotfix. It is recommended to schedule this activity.

See the following KB articles for Security Update (Rollup) Installation instructions: To schedule platform security patch installation or to upgrade your server, contact Dell EMC Customer Support at https://support.emc.com/.
CVEs Addressed  Product Affected Versions Updated Versions Link to Update
CVE-2021-36316 Dell EMC Avamar Server 18.2 18.2.x 329036
 
19.1 19.1.x
 		 329037
19.2 19.2.x
 		 329038
19.3 19.3.x
 		 331250
19.4 19.4.x
 		 332282
Dell EMC PowerProtectData Protection Appliance (IDPA) 2.3 2.3.x 329036
2.4.x 2.4.x
2.5 2.5.x 329037
2.6.x 2.6.x 331250
2.7 2.7.x 332282
CVE-2021-36317 Dell EMC Avamar Server 19.4 19.4.x 332282
Dell EMC PowerProtect Data Protection Appliance (IDPA) 2.7 2.7.x
CVE-2021-36318 Dell EMC Avamar Server 18.2 18.2.x 332796
19.1 19.1.x 332795
19.2 19.2.x 332793
19.3 19.3.x 332792
19.4 19.4.x 333252
Dell EMC PowerProtect Data Protection Appliance (IDPA) 2.3 2.3.x 332796
2.4.x 2.4.x
2.5 2.5.x 332795
2.6.x 2.6.x 332792
2.7 2.7.x 333252
Multiple Third-Party Components
See Release Notes		 Dell EMC Avamar Server Hardware Appliance Gen4S or Gen4T Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4 Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4 AvPlatformOsRollup_2021-R2-v2.avp        
Version 19.2 running SUSE Linux Enterprise 12 SP4 Version 19.2.x running SUSE Linux Enterprise 12 SP4
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
Dell EMC Avamar Virtual Edition Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments) Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments) AvPlatformOsRollup_2021-R2-v2.avp               
Version 19.2 running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments) Version 19.2.x running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments) Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments)
Dell EMC Avamar NDMP Accelerator Version 18.2, 19.1, 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 11 SP4 Version 18.2.x, 19.1.x, 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 11 SP4
Version 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 12 SP4 Version 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 12 SP4
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
Dell EMC Avamar VMware Image Proxy Version 18.2 and 19.1 running SUSE Linux Enterprise 12 SP1 Version 18.2.x and 19.1.x running SUSE Linux Enterprise 12 SP1 Avamar Proxy Bundle 2021-R2-v2
 
Version 19.2 and 19.3 running SUSE Linux Enterprise 12 SP4 Version 19.2.x and 19.3.x running SUSE Linux Enterprise 12 SP4
Version 19.4 running SUSE Linux SUSE Linux Enterprise 12 SP5 Version 19.4.x running SUSE Linux SUSE Linux Enterprise 12 SP5
Dell EMC NetWorker Virtual Edition (NVE) Version 19.1, 19.2, and 19.3 running SUSE Linux Enterprise 11 SP4 Version 19.1.x, 19.2.x, and 19.3.x running SUSE Linux Enterprise 11 SP4 NvePlatformOsRollup_2021-R2-v2.avp
 
Version 19.4 and 19.5 running SUSE Linux Enterprise 12 SP5 Version 19.4.x and 19.5.x running SUSE Linux Enterprise 12 SP5
Dell EMC PowerProtect DP Series Appliance / Dell EMC Integrated Data Protection Appliance (IDPA) 2.3 2.3.x AvPlatformOsRollup_2021-R2-v2.avp 
2.4.x 2.4.x
2.5 2.5.x
2.6.x 2.6.x
2.7 2.7.x
 
Note:
The updated version is the version listed in the Updated Versions column applied with the OS rollup 2021-R2 or the latest OS rollup.

For CVE-2021-36316, CVE-2021-36317, and CVE-2021-36318, see KB article 69982: How to install an Avamar .avp hotfix using Avamar Installer (AVI) for instructions on applying the hotfix. It is recommended to schedule this activity.

See the following KB articles for Security Update (Rollup) Installation instructions: To schedule platform security patch installation or to upgrade your server, contact Dell EMC Customer Support at https://support.emc.com/.

修订历史记录

RevisionDateDescription
1.02021-11-9Initial Release
1.12021-12-6Minor update to Affected Products and Remediation table. Added .x to end of versions
1.22022-01-19Minor update to Affected Products and Remediation table. Added .x to end of versions

相关信息

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

法律免责声明

受影响的产品

Avamar, NetWorker Family, Avamar, Avamar Plug-in for NDMP, Avamar Server, Avamar Virtual Edition, PowerProtect Data Protection Software, Integrated Data Protection Appliance Family, PowerProtect Data Protection Hardware , Integrated Data Protection Appliance Software, NetWorker, Product Security Information ...
文章属性
文章编号: 000193369
文章类型: Dell Security Advisory
上次修改时间: 19 1月 2022
从其他戴尔用户那里查找问题的答案
支持服务
检查您的设备是否在支持服务涵盖的范围内。