Avamar: How to address Security Vulnerabilities or a Common Vulnerabilities and Exposures (CVE) on Avamar systems

1. Check if the vulnerabilities are addressed in Avamar Security Rollup Release Notes. 
2. Check if the latest Avamar Security Rollup (AvPlatformOSRollup) is installed. 
3. If the vulnerabilities are already addressed in the Rollup, Schedule installation with the Avamar Upgrade Team. 
4. If the vulnerability is not addressed in Avamar Security Rollup, open a service request with the Dell Technologies Avamar Customer Support team to address the vulnerability. 

How to check installed software on the Avamar System.

• Software in Avamar is provided as and Avamar Package (AVP) and installed using Avamar installation manager (AVI).
• Log in to AVI using root credentials, https://<servername>/avi  Where <servername> is the hostname or IP address of the Avamar system. 
• Select the History Tab to check for previously installed hotfixes and patches.

- 

• The Security Rollup can be downloaded from the Avamar Support Site. 
• Select the Update kit and download the Platform Security Rollup.  Always download the latest file.  The example below shows 2020 R4. 

• Advisories are posted on the Avamar Support Site. 
• Select Advisories and then Security. 

Scenario 1: If the latest OS security rollup is not installed, it is required to get it installed first by following the below:

1. How to install Security Rollup:

• Customers with Avamar Hardware (ADS) can reach out to the Avamar scheduling team to install the Security Rollup.
• Customers using Avamar Virtual Edition can download and install the Rollup themselves. Check KB 169784 for more information.

2. Re-run the security scan once Avamar has the latest AvPlatformOSRollup:

• Once Avamar has the latest AvPlatformOSRollup installed, The security scanning tool should be updated with the latest release, and then re-run the scan.
• This is because any scan or manual assessment performed before the latest AvPlatformOSRollup is installed would not provide useful results.

Scenario 2: If the vulnerability is not addressed, open a service request with the Avamar Support team to address the vulnerability by providing the below information:
 

• The name of the scanning tool being used and the version/update level
• A copy of the scan report
• All information about the business impact (Note: This is typically based on the severity level of the vulnerability)
• Provide the names of the systems and the IPs and ports that are affected, according to the scan report.
• For each vulnerability reported in the scan, provide:

a) A CVE ID (https://nvd.nist.gov/) if not already given in the scan report
b) A web link to the third-party vendor alert, where there is one.

More articles

• KB 169784 - Installing the latest Avamar Platform Security Rollup on the Avamar Proxy and the NetWorker External Proxy