DSA-2019-201: Dell EMC Avamar and NetWorker Security Update for Multiple Third Component Vulnerabilities


alert-notice

Critical

First published:  18 Dec 2019
Last updated:  18 Dec 2019

CVE ID(s)

Overview

Severity Rating (CVSS Base Score)

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Affected products:  

  • Dell EMC Avamar Server hardware appliance Gen4S with versions 7.3 and later running SUSE Linux Enterprise 11 SP1

  • Dell EMC Avamar Server hardware appliance Gen4T with versions 7.3 and later running SUSE Linux Enterprise 11 SP3

  • Dell EMC Avamar Server hardware appliance Gen4S or Gen4T with versions 7.3 and later running SUSE Linux Enterprise 11 SP4

  • Dell EMC Avamar Virtual Edition versions 7.3 and later running SUSE Linux Enterprise 11 SP3

  • Dell EMC Avamar Virtual Edition versions 7.3 and later running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments since 7.5.1)

  • Dell EMC Avamar Virtual Edition versions 19.2 and later running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)

  • Dell EMC Avamar NDMP Accelerator 7.3 and later running SUSE Linux Enterprise 11 SP1, SP3, and SUSE Linux Enterprise 12 SP4

  • Dell EMC Avamar VMware Image Proxy versions 7.3 and later running SUSE Linux Enterprise 11 SP1 or SUSE Linux Enterprise 11 SP3

  • Dell EMC Avamar VMware Image Proxy versions 7.5.1 and later running SUSE Linux Enterprise 12 SP1

  • Dell EMC NetWorker Virtual Edition (NVE) versions 9.0.x, 9.1.x, 9.2.x, and 18.x and later running SUSE Linux Enterprise 11 SP3 or SP4

  • Dell EMC vCloud Director Data Protection Extension versions 2.0.3 and later running SUSE Linux Enterprise 11 SP3

  • Dell EMC Integrated Data Protection Appliance (IDPA) 2.0, 2.1, 2.2, 2.3, and 2.4


Summary:   
Multiple components within Dell EMC Avamar and Networker require a security update to address various vulnerabilities

Note:   
The CVEs addressed by this security update are listed in the Release Notes. The Release Notes list not only the new CVEs addressed by this update, but all the past CVEs included in this cumulative update.
For Dell EMC Avamar Servers running SUSE Linux Enterprise 11 SP1 or SP3, that the OS versions are end of life, the security update only addresses CVEs which SUSE addresses and updates some third party packages, such as JRE and Tomcat. It is recommended to upgrade Avamar servers to SUSE Linux Enterprise 11 SP4 prior to applying the OS Security Update.

Details

Filled_Alert_Notice_Symbol   Severity Disclaimer

For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307. Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

Read and use the information in this Dell EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact Dell EMC Software Technical Support at 1-877-534-2867. Dell EMC distributes Dell EMC Security Advisories, in order to bring to the attention of users of the affected Dell EMC products, important security information. Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Recommendations

Apply the platform security patch to Avamar software version 7.3 and later and NetWorker Virtual Edition. The following platform security patch packages are now available to be installed:

Avamar SW:  


SLES11 SP3 or SP4 NVE:   

The Security Update for Avamar Virtual Edition and NetWorker Virtual Edition are customer installable. Refer to Link to Remedies below for download and installation instructions.

Installation for all other Avamar affected products should be performed by qualified Avamar Support Engineers.

The installation process involves shutting down the server software, rebooting all the nodes, and restarting the server software, and so appropriate time needs to be scheduled and allocated to perform this full process.

Dell EMC strongly recommends all customers upgrade at the earliest opportunity.

To schedule platform security patch installation, or to upgrade your server, contact Dell EMC Customer Support at https://support.emc.com/.

Refer to the following KB Articles for Security Update (Rollup) Installation instructions:   

Read more in the Release Notes:  

Read and use the information in this Dell EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact Dell EMC Software Technical Support at 1-877-534-2867. Dell EMC distributes Dell EMC Security Advisories, in order to bring to the attention of users of the affected Dell EMC products, important security information. Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.