Headline
CVE-2021-36317: DSA-2021-204: Dell EMC Avamar, Dell EMC NetWorker Virtual Edition (NVE), and Dell EMC PowerProtect DP Series Appliance or Dell EMC Integrated Data Protection Appliance (IDPA) Security Update for Multi
Dell EMC Avamar Server version 19.4 contains a plain-text password storage vulnerability in AvInstaller. A local attacker could potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.
Vaikutus
Critical
Tiedot
Proprietary Code CVEs
Description
CVSSBase Score
CVSS Vector String
CVE-2021-36316
Dell EMC Avamar Server versions 18.2, 19.1, 19.2, 19.3, and 19.4 contain an improper privilege management vulnerability in AUI. A malicious user with high privileges may potentially exploit this vulnerability, leading to the disclosure of the AUI information and performing some unauthorized operation on the AUI.
6.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
CVE-2021-36317
Dell EMC Avamar Server version 19.4 contains a plain-text password storage vulnerability in AvInstaller. A local attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.
6.7
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-36318
Dell EMC Avamar versions 18.2,19.1,19.2,19.3, and 19.4 contain a plain-text password storage vulnerability. A high privileged user may potentially exploit this vulnerability, leading to a complete outage.
6.7
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Proprietary Code CVEs
Description
CVSSBase Score
CVSS Vector String
CVE-2021-36316
Dell EMC Avamar Server versions 18.2, 19.1, 19.2, 19.3, and 19.4 contain an improper privilege management vulnerability in AUI. A malicious user with high privileges may potentially exploit this vulnerability, leading to the disclosure of the AUI information and performing some unauthorized operation on the AUI.
6.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
CVE-2021-36317
Dell EMC Avamar Server version 19.4 contains a plain-text password storage vulnerability in AvInstaller. A local attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.
6.7
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-36318
Dell EMC Avamar versions 18.2,19.1,19.2,19.3, and 19.4 contain a plain-text password storage vulnerability. A high privileged user may potentially exploit this vulnerability, leading to a complete outage.
6.7
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Dell Technologies suosittelee, että kaikki asiakkaat ottavat huomioon sekä CVSS-peruspistemäärän että kaikki asiaankuuluvat väliaikaiset ja ympäristöön liittyvät pisteet, jotka voivat vaikuttaa tietyn tietoturvahaavoittuvuuden mahdolliseen vakavuuteen.
Tuotteet, joihin asia vaikuttaa ja tilanteen korjaaminen
CVEs Addressed
Product
Affected Versions
Updated Versions
Link to Update
CVE-2021-36316
Dell EMC Avamar Server
18.2
18.2.x
329036
19.1
19.1.x
329037
19.2
19.2.x
329038
19.3
19.3.x
331250
19.4
19.4.x
332282
Dell EMC PowerProtectData Protection Appliance (IDPA)
2.3
2.3.x
329036
2.4.x
2.4.x
2.5
2.5.x
329037
2.6.x
2.6.x
331250
2.7
2.7.x
332282
CVE-2021-36317
Dell EMC Avamar Server
19.4
19.4.x
332282
Dell EMC PowerProtect Data Protection Appliance (IDPA)
2.7
2.7.x
CVE-2021-36318
Dell EMC Avamar Server
18.2
18.2.x
332796
19.1
19.1.x
332795
19.2
19.2.x
332793
19.3
19.3.x
332792
19.4
19.4.x
333252
Dell EMC PowerProtect Data Protection Appliance (IDPA)
2.3
2.3.x
332796
2.4.x
2.4.x
2.5
2.5.x
332795
2.6.x
2.6.x
332792
2.7
2.7.x
333252
Multiple Third-Party Components
See Release Notes
Dell EMC Avamar Server Hardware Appliance Gen4S or Gen4T
Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4
Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4
AvPlatformOsRollup_2021-R2-v2.avp
Version 19.2 running SUSE Linux Enterprise 12 SP4
Version 19.2.x running SUSE Linux Enterprise 12 SP4
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5
Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
Dell EMC Avamar Virtual Edition
Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments)
Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments)
AvPlatformOsRollup_2021-R2-v2.avp
Version 19.2 running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)
Version 19.2.x running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments)
Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments)
Dell EMC Avamar NDMP Accelerator
Version 18.2, 19.1, 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 11 SP4
Version 18.2.x, 19.1.x, 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 11 SP4
Version 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 12 SP4
Version 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 12 SP4
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5
Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
Dell EMC Avamar VMware Image Proxy
Version 18.2 and 19.1 running SUSE Linux Enterprise 12 SP1
Version 18.2.x and 19.1.x running SUSE Linux Enterprise 12 SP1
Avamar Proxy Bundle 2021-R2-v2
Version 19.2 and 19.3 running SUSE Linux Enterprise 12 SP4
Version 19.2.x and 19.3.x running SUSE Linux Enterprise 12 SP4
Version 19.4 running SUSE Linux SUSE Linux Enterprise 12 SP5
Version 19.4.x running SUSE Linux SUSE Linux Enterprise 12 SP5
Dell EMC NetWorker Virtual Edition (NVE)
Version 19.1, 19.2, and 19.3 running SUSE Linux Enterprise 11 SP4
Version 19.1.x, 19.2.x, and 19.3.x running SUSE Linux Enterprise 11 SP4
NvePlatformOsRollup_2021-R2-v2.avp
Version 19.4 and 19.5 running SUSE Linux Enterprise 12 SP5
Version 19.4.x and 19.5.x running SUSE Linux Enterprise 12 SP5
Dell EMC PowerProtect DP Series Appliance / Dell EMC Integrated Data Protection Appliance (IDPA)
2.3
2.3.x
AvPlatformOsRollup_2021-R2-v2.avp
2.4.x
2.4.x
2.5
2.5.x
2.6.x
2.6.x
2.7
2.7.x
Note:
The updated version is the version listed in the Updated Versions column applied with the OS rollup 2021-R2 or the latest OS rollup.
For CVE-2021-36316, CVE-2021-36317, and CVE-2021-36318, see KB article 69982: How to install an Avamar .avp hotfix using Avamar Installer (AVI) for instructions on applying the hotfix. It is recommended to schedule this activity.
See the following KB articles for Security Update (Rollup) Installation instructions:
- KB 169784: Avamar Virtual Edition: How to Install the Avamar Platform Security Rollup for Avamar Virtual Edition.
- KB 52627: NetWorker Virtual Edition (NVE) : How to Install the Platform Security Rollup for NetWorker Virtual Edition.
- KB 77959: Avamar Server, Avamar Proxy, Avamar NDMP Accelerator: How to install the Avamar Platform Security Rollup from the command line for installing the latest Avamar Platform Security Rollup on the Avamar Proxy.
To schedule platform security patch installation or to upgrade your server, contact Dell EMC Customer Support at https://support.emc.com/.
CVEs Addressed
Product
Affected Versions
Updated Versions
Link to Update
CVE-2021-36316
Dell EMC Avamar Server
18.2
18.2.x
329036
19.1
19.1.x
329037
19.2
19.2.x
329038
19.3
19.3.x
331250
19.4
19.4.x
332282
Dell EMC PowerProtectData Protection Appliance (IDPA)
2.3
2.3.x
329036
2.4.x
2.4.x
2.5
2.5.x
329037
2.6.x
2.6.x
331250
2.7
2.7.x
332282
CVE-2021-36317
Dell EMC Avamar Server
19.4
19.4.x
332282
Dell EMC PowerProtect Data Protection Appliance (IDPA)
2.7
2.7.x
CVE-2021-36318
Dell EMC Avamar Server
18.2
18.2.x
332796
19.1
19.1.x
332795
19.2
19.2.x
332793
19.3
19.3.x
332792
19.4
19.4.x
333252
Dell EMC PowerProtect Data Protection Appliance (IDPA)
2.3
2.3.x
332796
2.4.x
2.4.x
2.5
2.5.x
332795
2.6.x
2.6.x
332792
2.7
2.7.x
333252
Multiple Third-Party Components
See Release Notes
Dell EMC Avamar Server Hardware Appliance Gen4S or Gen4T
Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4
Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4
AvPlatformOsRollup_2021-R2-v2.avp
Version 19.2 running SUSE Linux Enterprise 12 SP4
Version 19.2.x running SUSE Linux Enterprise 12 SP4
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5
Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
Dell EMC Avamar Virtual Edition
Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments)
Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments)
AvPlatformOsRollup_2021-R2-v2.avp
Version 19.2 running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)
Version 19.2.x running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments)
Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments)
Dell EMC Avamar NDMP Accelerator
Version 18.2, 19.1, 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 11 SP4
Version 18.2.x, 19.1.x, 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 11 SP4
Version 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 12 SP4
Version 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 12 SP4
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5
Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
Dell EMC Avamar VMware Image Proxy
Version 18.2 and 19.1 running SUSE Linux Enterprise 12 SP1
Version 18.2.x and 19.1.x running SUSE Linux Enterprise 12 SP1
Avamar Proxy Bundle 2021-R2-v2
Version 19.2 and 19.3 running SUSE Linux Enterprise 12 SP4
Version 19.2.x and 19.3.x running SUSE Linux Enterprise 12 SP4
Version 19.4 running SUSE Linux SUSE Linux Enterprise 12 SP5
Version 19.4.x running SUSE Linux SUSE Linux Enterprise 12 SP5
Dell EMC NetWorker Virtual Edition (NVE)
Version 19.1, 19.2, and 19.3 running SUSE Linux Enterprise 11 SP4
Version 19.1.x, 19.2.x, and 19.3.x running SUSE Linux Enterprise 11 SP4
NvePlatformOsRollup_2021-R2-v2.avp
Version 19.4 and 19.5 running SUSE Linux Enterprise 12 SP5
Version 19.4.x and 19.5.x running SUSE Linux Enterprise 12 SP5
Dell EMC PowerProtect DP Series Appliance / Dell EMC Integrated Data Protection Appliance (IDPA)
2.3
2.3.x
AvPlatformOsRollup_2021-R2-v2.avp
2.4.x
2.4.x
2.5
2.5.x
2.6.x
2.6.x
2.7
2.7.x
Note:
The updated version is the version listed in the Updated Versions column applied with the OS rollup 2021-R2 or the latest OS rollup.
For CVE-2021-36316, CVE-2021-36317, and CVE-2021-36318, see KB article 69982: How to install an Avamar .avp hotfix using Avamar Installer (AVI) for instructions on applying the hotfix. It is recommended to schedule this activity.
See the following KB articles for Security Update (Rollup) Installation instructions:
- KB 169784: Avamar Virtual Edition: How to Install the Avamar Platform Security Rollup for Avamar Virtual Edition.
- KB 52627: NetWorker Virtual Edition (NVE) : How to Install the Platform Security Rollup for NetWorker Virtual Edition.
- KB 77959: Avamar Server, Avamar Proxy, Avamar NDMP Accelerator: How to install the Avamar Platform Security Rollup from the command line for installing the latest Avamar Platform Security Rollup on the Avamar Proxy.
To schedule platform security patch installation or to upgrade your server, contact Dell EMC Customer Support at https://support.emc.com/.
Versiohistoria
Revision
Date
Description
1.0
2021-11-9
Initial Release
1.1
2021-12-6
Minor update to Affected Products and Remediation table. Added .x to end of versions
1.2
2022-01-19
Minor update to Affected Products and Remediation table. Added .x to end of versions
Asiaan liittyvät tiedot
Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide
Avamar, NetWorker Family, Avamar, Avamar Plug-in for NDMP, Avamar Server, Avamar Virtual Edition, PowerProtect Data Protection Software, Integrated Data Protection Appliance Family, PowerProtect Data Protection HardwareNäytä lisää
19 tammik. 2022
Related news
Gentoo Linux Security Advisory 202210-9 - Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service. Versions less than 1.63.0-r1 are affected.
Gentoo Linux Security Advisory 202210-9 - Multiple vulnerabilities have been discovered in Rust, the worst of which could result in denial of service. Versions less than 1.63.0-r1 are affected.