[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] DSA-2018-154: Dell EMC Avamar and Integrated Data Protection Appliance Information Exposure Vul
From: <secure () Dell ! com>
Date: 2018-11-20 19:01:16
Message-ID: 2f135d8a8e7f4f85bc81881672de9502 () AUSX13MPS302 ! AMER ! DELL ! COM
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
DSA-2018-154: Dell EMC Avamar and Integrated Data Protection Appliance Information Exposure \
Vulnerability
Dell EMC Identifier: DSA-2018-154
CVE Identifier: CVE-2018-11076
Severity: High
Severity Rating:
CVSS v3 Base Score: 7.9 (AV:A/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)
Affected products:
Dell EMC Avamar Server 7.2.0 and 7.2.1
Dell EMC Avamar Server 7.3.0 and 7.3.1
Dell EMC Avamar Server 7.4.0 and 7.4.1
Dell EMC Integrated Data Protection Appliance (IDPA) 2.0
Summary:
Dell EMC Avamar and IDPA are affected by an Information Exposure vulnerability that may \
potentially be exploited by an attacker to compromise the affected systems. Details:
Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0 and 7.4.1 and Dell EMC \
Integrated Data Protection Appliance (IDPA) 2.0 are affected by an information exposure \
vulnerability. Avamar Java management console's SSL/TLS private key may be leaked in the Avamar \
Java management client package. The private key could potentially be used by an unauthenticated \
attacker on the same data-link layer to initiate a MITM attack on management console users.
Resolution:
The following Dell EMC Avamar hotfix contains a resolution to address these vulnerabilities for \
the below affected Avamar releases: • Dell EMC Avamar Server 7.2.1 – HOTFIX \
300431 (Part of Cumulative hotfix 295614) • Dell EMC Avamar Server 7.3.1 – \
HOTFIX 300430 (Part of Cumulative hotfix 298951) • Dell EMC Avamar Server 7.4.1 \
– HOTFIX 300429 (Part of Cumulative hotfix 300695) • Dell EMC Integrated Data \
Protection Appliance (IDPA) 2.0 – HOTFIX 300429 (Part of Cumulative hotfix 300695)
For other affected versions, Dell EMC recommends scheduling an upgrade of the Avamar server to \
the most recent service pack for the release and applying the appropriate hotfix. For affected \
IDPA releases, install the appropriate hotfix on the Avamar server directly. Dell EMC \
recommends all customers apply the hotfix at the earliest opportunity. Refer to KB Article \
513978 for instructions on applying the hotfix. Please note that applying the hotfix will \
restart the Management Console Service, It is recommended to stop backups before applying this \
hotfix, or install this hotfix during maintenance window.
Link to remedies:
Registered Dell EMC Online Support customers can download patches and software from \
support.emc.com at:
• Dell EMC Avamar Server 7.2.1 – HOTFIX 300431 (Part of Cumulative hotfix \
295614) • Dell EMC Avamar Server 7.3.1 – HOTFIX 300430 (Part of Cumulative \
hotfix 298951) • Dell EMC Avamar Server 7.4.1 – HOTFIX 300429 (Part of \
Cumulative hotfix 300695) • Dell EMC Integrated Data Protection Appliance (IDPA) \
2.0 – HOTFIX 300429 (Part of Cumulative hotfix 300695)
If you have any questions, please contact Dell EMC Support.
Credits:
Dell EMC would like to thank TSS (https://www.dtss.com.au/) for reporting these \
vulnerabilities.
Severity Rating
For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307 \
(https://support.emc.com/kb/468307). Dell EMC recommends all customers take into account both \
the base score and any relevant temporal and environmental scores which may impact the \
potential severity associated with particular security vulnerability.
Legal Information
Read and use the information in this Dell EMC Security Advisory to assist in avoiding any \
situation that might arise from the problems described herein. If you have any questions \
regarding this advisory, contact Dell EMC Technical Support \
(https://support.emc.com/servicecenter/contactEMC/). Dell EMC distributes Dell EMC Security \
Advisories, in order to bring to the attention of users of the affected Dell EMC products, \
important security information. Dell EMC recommends that all users determine the applicability \
of this information to their individual situations and take appropriate action. The information \
set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all \
warranties, either express or implied, including the warranties of merchantability, fitness for \
a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, \
be liable for any damages whatsoever including direct, indirect, incidental, consequential, \
loss of business profits or special damages, even if Dell EMC or its suppliers have been \
advised of the possibility of such damages. Some states do not allow the exclusion or \
limitation of liability for consequential or incidental damages, so the foregoing limitation \
may not apply.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEP5nobPoCj3pTvhAZgSlofD2Yi6cFAlv0WZMACgkQgSlofD2Y
i6eLng/9G3csBTItm6ZJpX4QInGTvzbRAIZjNwtT2WIY68ylSZHmXjzq5QEPDYgJ
1gYOAOJ23Yd4oZz1uDfBBXmDxf0TDEkqtrMPjnm6jlLygkae4P1t4pp6CDVZm5YP
48ryxSzh4vwBBHm2t3Scj9bB98dEkJhD0oq5CM50A1qP7L/WKK/MZ0gVz8vFeZ3f
0gRcijnOShccwep5/a212sVk1V89Vei/mG393msdFzPbVqlLljl5AFveyKcIPtlM
vlakuB3mAmauXOQ8qdBSahVDKCOT/97V6szXT9BXODpBq3D9dpe+OxKKKBQPis4F
dGjfY+h9Fj4UD/R5/FGYHf+3+G5aKEM4kz8cy2pb4+t0fn7Q1Pz5GZz1WvYzt6GO
820LLqmejmTXaOGMUoi5poAc1RmfX32dgoVyQfhAi/B1MLqa149JDdQ+6gIk8Z6+
vXCUXLIxnI9vQ72upRHIqfrsEMpR0i00r4UkNqJjA/kyL8VBHDo0EigGsHZTmRt8
hbcsD2PQ2SO4j5CQnsXaEnoxy05w413dK8Y6eE4yLfGij5L0Nvy7s2fObXXX+L+n
Cf+fkcckdOWiKExeX3yiQ0iOLhGJ+QdjdX1vJE6oUbqXQcuE4SilKyhYwE2bJ/ZI
hXAT0vBZdQzOZPedd7cFC0Vfn55XOJFSWry8MWwD/fGjW3XkvDU=
=4/3B
-----END PGP SIGNATURE-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic