DSA-2020-105: Dell EMC Avamar and NetWorker Security Update for Multiple Components


alert-notice

Critical

First published:  15 Apr 2020
Last updated:  29 May 2020

CVE ID(s)

Overview

Severity Rating (CVSS Base Score)

See NVD (http://nvd.nist.gov/) for individual scores for each CVE

Affected products:    

  • Dell EMC Avamar Server hardware appliance Gen4S with versions 7.3 and later running SUSE Linux Enterprise 11 SP1

  • Dell EMC Avamar Server hardware appliance Gen4T with versions 7.3 and later running SUSE Linux Enterprise 11 SP3

  • Dell EMC Avamar Server hardware appliance Gen4S/Gen4T with versions 7.3 and later running SUSE Linux Enterprise 11 SP4

  • Dell EMC Avamar Server hardware appliance Gen4S/Gen4T with versions 19.2 running SUSE Linux Enterprise 12 SP4

  • Dell EMC Avamar Virtual Edition versions 7.3 and later running SUSE Linux Enterprise 11 SP3

  • Dell EMC Avamar Virtual Edition versions 7.3 and later running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments since 7.5.1)

  • Dell EMC Avamar Virtual Edition versions 19.2 and later running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)

  • Dell EMC Avamar NDMP Accelerator 7.3 and later running SUSE Linux Enterprise 11 SP1, SP3 and 12 SP4

  • Dell EMC Avamar VMware Image Proxy versions 7.3 and later running SUSE Linux Enterprise 11 SP1 or SUSE Linux Enterprise 11 SP3

  • Dell EMC Avamar VMware Image Proxy versions 7.5.1 and later running SUSE Linux Enterprise 12 SP1 or SUSE Linux Enterprise 12 SP4

  • Dell EMC NetWorker Virtual Edition (NVE) versions 9.1.x, 9.2.x, 18.x, and later running SUSE Linux Enterprise 11 SP3 or SP4

  • Dell EMC Backup & Recovery Manager (Avamar and NetWorker) versions v1.3 and v1.3.1 running SUSE Linux Enterprise 11 SP3

  • Dell EMC vCloud Director Data Protection Extension versions 2.0.5 and later running SUSE Linux Enterprise 11 SP3

  • Dell EMC Integrated Data Protection Appliance (IDPA) 2.0, 2.1, 2.2, 2.3, 2.4, and 2.5

Note:   
The CVEs remedied by this security update are listed in the Release Notes. The Release Notes lists not only the new CVEs remedied by this update, but all the past CVEs included in this cumulative update.

For Dell EMC Avamar Servers running SUSE Linux Enterprise 11 SP1 or SP3, that the OS versions are end of life, the security update only remedies CVEs which SUSE remedies and updates some third party packages, such as JRE and Tomcat. It is recommended to upgrade Avamar servers to SUSE Linux Enterprise 11 SP4 prior to applying the OS Security Update.


Summary:   
Multiple components within Dell EMC Avamar and NetWorker require a security update to address various vulnerabilities.

Details

Filled_Alert_Notice_Symbol   Severity Disclaimer

For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307. Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability.

Read and use the information in this Dell EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact Dell EMC Software Technical Support at 1-877-534-2867. Dell EMC distributes Dell EMC Security Advisories, in order to bring to the attention of users of the affected Dell EMC products, important security information. Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.

Recommendations

Apply the platform security patch to Avamar software 7.3 and later and to NetWorker Virtual Edition.

The following platform security patch packages are now available to be installed:   

The Security Update for Avamar Virtual Edition and NetWorker Virtual Edition is customer installable. Refer to the links below for download and installation instructions.

The installation process involves shutting down the server software, rebooting all the nodes, and restarting the server software, and so, appropriate time needs to be scheduled and allocated to perform this full process.

Dell EMC strongly recommends all customers upgrade at the earliest opportunity.

To schedule platform security patch installation, or to upgrade your server, contact Dell EMC Customer Support at https://support.emc.com/.

Refer to the following KB Articles for Security Update (Rollup) Installation instructions:   

Read more in the Release Notes: 

Read and use the information in this Dell EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact Dell EMC Software Technical Support at 1-877-534-2867. Dell EMC distributes Dell EMC Security Advisories, in order to bring to the attention of users of the affected Dell EMC products, important security information. Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.