[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: ESA-2013-072: EMC NetWorker Information Disclosure Vulnerability
From: Security Alert <Security_Alert () emc ! com>
Date: 2013-10-29 11:03:46
Message-ID: 37F0BE0896DB1544B5BEFBE34F79D05330FA7D25 () MX103CL01 ! corp ! emc ! com
[Download RAW message or body]
["ESA-2013-072.txt" (text/plain)]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2013-072: EMC NetWorker Information Disclosure Vulnerability
EMC Identifier: ESA-2013-072
EMC Identifier: NW152441
CVE Identifier: CVE-2013-3285
Severity Rating: CVSS v2 Base Score: 6.8 (AV:L/AC:L/Au:S/C:C/I:C/A:C)
Affected products:
EMC NetWorker version 8.0.x
Summary:
A vulnerability exists in EMC NetWorker that could allow exposure of sensitive \
information under specific circumstances.
Details:
When the NetWorker Management Console (NMC) is configured to use Active \
Directory/LDAP for user authentication through NMC administration GUI, an \
authenticated user may be able to see the AD/LDAP administrator password in clear \
text within certain NMC audit reports or by querying the NetWorker RAP resource.
Resolution:
To address this issue, customers must perform the following steps
1. Upgrade the NetWorker server and NMC server software to the following versions:
• EMC NetWorker 8.0.2.3 and above
• EMC NetWorker 8.1 and above
2. Change existing Active Directory/LDAP Administrator password to mitigate the \
exposure.
Link to remedies:
Registered EMC Online Support customers can download software from support.emc.com.
Select “Support by Product” and type “NetWorker”(Direct link NetWorker). From this \
page select “Downloads”, “Documentation” or “Advisories” as required.
Read and use the information in this EMC Security Advisory to assist in avoiding any \
situation that might arise from the problems described herein. If you have any \
questions regarding this product alert, contact EMC Software Technical Support at \
1-877-534-2867.
For an explanation of Severity Ratings, refer to EMC Knowledgebase solution \
emc218831. EMC recommends all customers take into account both the base score and any \
relevant temporal and environmental scores which may impact the potential severity \
associated with particular security vulnerability.
EMC Corporation distributes EMC Security Advisories, in order to bring to the \
attention of users of the affected EMC products, important security information. EMC \
recommends that all users determine the applicability of this information to their \
individual situations and take appropriate action. The information set forth herein \
is provided "as is" without warranty of any kind. EMC disclaims all warranties, \
either express or implied, including the warranties of merchantability, fitness for a \
particular purpose, title and non-infringement. In no event, shall EMC or its \
suppliers, be liable for any damages whatsoever including direct, indirect, \
incidental, consequential, loss of business profits or special damages, even if EMC \
or its suppliers have been advised of the possibility of such damages. Some states do \
not allow the exclusion or limitation of liability for consequential or incidental \
damages, so the foregoing limitation may not apply.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)
iEYEARECAAYFAlJvlVYACgkQtjd2rKp+ALw4QACgpKz23+Q2N5ytkMBfqY93DeFl
qzwAoIC3qg6qGEIWnCygk7olvASgciX6
=c935
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic