DSA-2020-160: Dell EMC Avamar and NetWorker Security Update for Multiple Component Vulnerabilities
Summary: Multiple components within Dell EMC Avamar and NetWorker require a security update to address various vulnerabilities.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Impact
Critical
Details
Summary:
Multiple components within Dell EMC Avamar and NetWorker require a security update to address various vulnerabilities.
This security patch is a set of security updates for various third-party software components installed on the Avamar and NetWorker nodes. The patch addresses multiple security vulnerabilities in those components. The patch applies to all Avamar and NetWorker Products running on the SLES platforms listed above. The products include Avamar single-node servers, multi-node servers, accelerator nodes, Avamar Virtual Edition systems, NetWorker Virtual Edition systems, Avamar Combined Proxy, Avamar Plug-in for vCloud Director.
This security patch also updates Java JRE to version 8u251 for Avamar Server 7.4 and later, Avamar Proxy 7.5.0 and later, NetWorker Virtual Edition 18.x and later, Dell EMC vCloud Director Data Protection Extension versions 2.0.6 and later, Dell EMC Avamar NDMP Accelerator 7.4 and later.
This security patch also updates Tomcat to version 8.5.53 for Avamar Server 7.4 and later.
See NVD (http://nvd.nist.gov/) for individual scores for each CVE
This security patch also updates Java JRE to version 8u251 for Avamar Server 7.4 and later, Avamar Proxy 7.5.0 and later, NetWorker Virtual Edition 18.x and later, Dell EMC vCloud Director Data Protection Extension versions 2.0.6 and later, Dell EMC Avamar NDMP Accelerator 7.4 and later.
This security patch also updates Tomcat to version 8.5.53 for Avamar Server 7.4 and later.
See NVD (http://nvd.nist.gov/) for individual scores for each CVE
This security patch is a set of security updates for various third-party software components installed on the Avamar and NetWorker nodes. The patch addresses multiple security vulnerabilities in those components. The patch applies to all Avamar and NetWorker Products running on the SLES platforms listed above. The products include Avamar single-node servers, multi-node servers, accelerator nodes, Avamar Virtual Edition systems, NetWorker Virtual Edition systems, Avamar Combined Proxy, Avamar Plug-in for vCloud Director.
This security patch also updates Java JRE to version 8u251 for Avamar Server 7.4 and later, Avamar Proxy 7.5.0 and later, NetWorker Virtual Edition 18.x and later, Dell EMC vCloud Director Data Protection Extension versions 2.0.6 and later, Dell EMC Avamar NDMP Accelerator 7.4 and later.
This security patch also updates Tomcat to version 8.5.53 for Avamar Server 7.4 and later.
See NVD (http://nvd.nist.gov/) for individual scores for each CVE
This security patch also updates Java JRE to version 8u251 for Avamar Server 7.4 and later, Avamar Proxy 7.5.0 and later, NetWorker Virtual Edition 18.x and later, Dell EMC vCloud Director Data Protection Extension versions 2.0.6 and later, Dell EMC Avamar NDMP Accelerator 7.4 and later.
This security patch also updates Tomcat to version 8.5.53 for Avamar Server 7.4 and later.
See NVD (http://nvd.nist.gov/) for individual scores for each CVE
Affected Products & Remediation
Affected products:
- Dell EMC Avamar Server hardware appliance Gen4S with versions 7.4 and later running SUSE Linux Enterprise 11 SP1
- Dell EMC Avamar Server hardware appliance Gen4T with versions 7.4 and later running SUSE Linux Enterprise 11 SP3
- Dell EMC Avamar Server hardware appliance Gen4S/Gen4T with versions 7.4 and later running SUSE Linux Enterprise 11 SP4
- Dell EMC Avamar Server hardware appliance Gen4S/Gen4T with versions 19.2 running SUSE Linux Enterprise 12 SP4
- Dell EMC Avamar Server hardware appliance Gen4S/Gen4T with versions 19.3 running SUSE Linux Enterprise 12 SP5
- Dell EMC Avamar Virtual Edition versions 7.4 and later running SUSE Linux Enterprise 11 SP3
- Dell EMC Avamar Virtual Edition versions 7.4 and later running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments since 7.5.1)
- Dell EMC Avamar Virtual Edition versions 19.2 running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)
- Dell EMC Avamar Virtual Edition versions 19.3 running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments)
- Dell EMC Avamar NDMP Accelerator 7.4 and later running SUSE Linux Enterprise 11 SP1, SP3 and 12 SP4
- Dell EMC Avamar VMware Image Proxy versions 7.4 and later running SUSE Linux Enterprise 11 SP1 or SUSE Linux Enterprise 11 SP3
- Dell EMC Avamar VMware Image Proxy versions 7.5.1 and later running SUSE Linux Enterprise 12 SP1 or SUSE Linux Enterprise 12 SP4
- Dell EMC NetWorker Virtual Edition (NVE) versions 18.x and later running SUSE Linux Enterprise 11 SP3 or SP4
- Dell EMC vCloud Director Data Protection Extension versions 2.0.6 and later running SUSE Linux Enterprise 11 SP3
- Dell EMC Integrated Data Protection Appliance (IDPA) 2.0, 2.1, 2.2, 2.3, 2.4 and 2.5
Note:
The CVEs remedied by this security update are listed in the Release Notes. The Release Notes list not only the new CVEs remedied by this update, but all the past CVEs included in this cumulative update.
For Dell EMC Avamar Servers running SUSE Linux Enterprise 11 SP1/SP3, that the OS versions are end of life, the security update only remedies CVEs which SUSE remedies and updates some third party packages, such as JRE and Tomcat. It is recommended to upgrade Avamar servers to SUSE Linux Enterprise 11 SP4 prior to applying the OS Security Update.
Apply the platform security patch to Avamar software version 7.4 and later and to NetWorker Virtual Edition.
The following platform security patch packages are now available to be installed:
- SLES11 SP1/SP3/SP4, SLES12 SP4/SP5 Avamar: AvPlatformOsRollup_2020-R2-v6.avp
- SLES11 SP3/SP4 NVE: NvePlatformOsRollup_2020-R2-v6.avp
- Avamar Proxy Bundle 2020-R2-v6
The Security Update for Avamar Virtual Edition and NetWorker Virtual Edition is customer installable. Refer to link to remedies below for download and installation instructions.
The installation process involves shutting down the server software, rebooting all the nodes, and restarting the server software, and so appropriate time needs to be scheduled and allocated to perform this full process.
Dell EMC strongly recommends all customers upgrade at the earliest opportunity.
To schedule platform security patch installation, or to upgrade your server, contact Dell EMC Customer Support at https://support.emc.com/.
Refer to the following KB Articles for Security Update (Rollup) Installation instructions:
- 335359: Avamar Virtual Edition, NetWorker Virtual Appliance: How to Install the Avamar Platform Security Rollup for Avamar Virtual Edition. (Only registered Dell Customers can access the content on the article link via Dell.com/support)
- 476507: NetWorker Virtual Edition (NVE) : How to Install the Platform Security Rollup for NetWorker Virtual Edition.
Release Notes:
https://support.emc.com/docu98255_Avamar-Platform-OS-Security-Patch-Rollup-2020-Release-Notes.pdf?language=en_US
Affected products:
- Dell EMC Avamar Server hardware appliance Gen4S with versions 7.4 and later running SUSE Linux Enterprise 11 SP1
- Dell EMC Avamar Server hardware appliance Gen4T with versions 7.4 and later running SUSE Linux Enterprise 11 SP3
- Dell EMC Avamar Server hardware appliance Gen4S/Gen4T with versions 7.4 and later running SUSE Linux Enterprise 11 SP4
- Dell EMC Avamar Server hardware appliance Gen4S/Gen4T with versions 19.2 running SUSE Linux Enterprise 12 SP4
- Dell EMC Avamar Server hardware appliance Gen4S/Gen4T with versions 19.3 running SUSE Linux Enterprise 12 SP5
- Dell EMC Avamar Virtual Edition versions 7.4 and later running SUSE Linux Enterprise 11 SP3
- Dell EMC Avamar Virtual Edition versions 7.4 and later running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments since 7.5.1)
- Dell EMC Avamar Virtual Edition versions 19.2 running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)
- Dell EMC Avamar Virtual Edition versions 19.3 running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments)
- Dell EMC Avamar NDMP Accelerator 7.4 and later running SUSE Linux Enterprise 11 SP1, SP3 and 12 SP4
- Dell EMC Avamar VMware Image Proxy versions 7.4 and later running SUSE Linux Enterprise 11 SP1 or SUSE Linux Enterprise 11 SP3
- Dell EMC Avamar VMware Image Proxy versions 7.5.1 and later running SUSE Linux Enterprise 12 SP1 or SUSE Linux Enterprise 12 SP4
- Dell EMC NetWorker Virtual Edition (NVE) versions 18.x and later running SUSE Linux Enterprise 11 SP3 or SP4
- Dell EMC vCloud Director Data Protection Extension versions 2.0.6 and later running SUSE Linux Enterprise 11 SP3
- Dell EMC Integrated Data Protection Appliance (IDPA) 2.0, 2.1, 2.2, 2.3, 2.4 and 2.5
Note:
The CVEs remedied by this security update are listed in the Release Notes. The Release Notes list not only the new CVEs remedied by this update, but all the past CVEs included in this cumulative update.
For Dell EMC Avamar Servers running SUSE Linux Enterprise 11 SP1/SP3, that the OS versions are end of life, the security update only remedies CVEs which SUSE remedies and updates some third party packages, such as JRE and Tomcat. It is recommended to upgrade Avamar servers to SUSE Linux Enterprise 11 SP4 prior to applying the OS Security Update.
Apply the platform security patch to Avamar software version 7.4 and later and to NetWorker Virtual Edition.
The following platform security patch packages are now available to be installed:
- SLES11 SP1/SP3/SP4, SLES12 SP4/SP5 Avamar: AvPlatformOsRollup_2020-R2-v6.avp
- SLES11 SP3/SP4 NVE: NvePlatformOsRollup_2020-R2-v6.avp
- Avamar Proxy Bundle 2020-R2-v6
The Security Update for Avamar Virtual Edition and NetWorker Virtual Edition is customer installable. Refer to link to remedies below for download and installation instructions.
The installation process involves shutting down the server software, rebooting all the nodes, and restarting the server software, and so appropriate time needs to be scheduled and allocated to perform this full process.
Dell EMC strongly recommends all customers upgrade at the earliest opportunity.
To schedule platform security patch installation, or to upgrade your server, contact Dell EMC Customer Support at https://support.emc.com/.
Refer to the following KB Articles for Security Update (Rollup) Installation instructions:
- 335359: Avamar Virtual Edition, NetWorker Virtual Appliance: How to Install the Avamar Platform Security Rollup for Avamar Virtual Edition. (Only registered Dell Customers can access the content on the article link via Dell.com/support)
- 476507: NetWorker Virtual Edition (NVE) : How to Install the Platform Security Rollup for NetWorker Virtual Edition.
Release Notes:
https://support.emc.com/docu98255_Avamar-Platform-OS-Security-Patch-Rollup-2020-Release-Notes.pdf?language=en_US
Workarounds & Mitigations
None.
Revision History
|
Revision |
Date |
Description |
|
1.0 |
2021-05-22 |
Initial Release |
| 1.1 | 2021-11-03 | Updated Product Tagging |
Related Information
Legal Disclaimer
Affected Products
Avamar, Avamar Client, Avamar Client for VMware, Avamar Client for Windows, Avamar Data Migration Enabler, Avamar Data Store, Avamar Data Store Gen3, Avamar Data Store Gen4, Avamar Data Store Gen4S, Avamar Data Store Gen4T, Avamar Data Transport
, Avamar Desktop/Laptop Option, Avamar Extended Retention, Avamar Media Access Node, Avamar Plug-in, Avamar Plug-in for Exchange 2003, Avamar Plug-in for Exchange 2007, Avamar Plug-in for Exchange VSS, Avamar Plug-in for Hyper-V VSS, Avamar Plug-in for IBM DB2, Avamar Plug-in for Lotus Domino, Avamar Plug-in for NDMP, Avamar Plug-in for Oracle, Avamar Plug-in for SAP with Oracle, Avamar Plug-in for SharePoint, Avamar Plug-in for SharePoint VSS, Avamar Plug-in for SQL, Avamar Plug-in for Sybase ASE, Avamar REST API, Avamar Server, Avamar with CloudBoost, Backup & Recovery Manager Avamar, Backup and Recovery Manager NetWorker, PowerProtect Data Protection Software, Integrated Data Protection Appliance Family, PowerProtect Data Protection Hardware, Integrated Data Protection Appliance Software, Multiple Systems Management, NetWorker, NetWorker Series, NetWorker for OpenVMS, NetWorker Management Console, NetWorker Module, NetWorker Module for Databases and Applications, NetWorker Module for MEDITECH, NetWorker Module for Microsoft, NetWorker Module for SAP, NetWorker SnapImage Module, OpenStack Data Protection Extension, Product Security Information, vRealize Data Protection Extension for Avamar, vRealize Data Protection Extension for NetWorker
...
Article Properties
Article Number: 000153707
Article Type: Dell Security Advisory
Last Modified: 25 Nov 2024
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.