[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ESA-2016-072: EMC NetWorker Remote Code Execution Vulnerability

To: "'bugtraq@xxxxxxxxxxxxxxxxx'" <bugtraq@xxxxxxxxxxxxxxxxx>, "'dm@xxxxxxxxxxxxxxxxx'" <dm@xxxxxxxxxxxxxxxxx>
Subject: ESA-2016-072: EMC NetWorker Remote Code Execution Vulnerability
From: Security Alert <Security_Alert@xxxxxxx>
Date: Wed, 8 Jun 2016 19:21:43 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ESA-2016-072: EMC NetWorker Remote Code Execution Vulnerability

EMC Identifier: ESA-2016-072
CVE Identifier: CVE-2016-0916
Severity Rating: CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 


Affected products:  
EMC NetWorker 8.2.1.0 and all versions after  

Summary:  
EMC NetWorker contains a fix for a remote code execution vulnerability that 
could potentially be exploited by malicious users to compromise NetWorker 
systems. 
Details: 
A remote attacker from a NetWorker instance may execute commands, 
unauthenticated, on another NetWorker instance due to an unsafe authentication 
mechanism. 

Resolution:  
The following EMC NetWorker release contains resolutions to these 
vulnerabilities:
?       EMC NetWorker version 8.2.2.6
?       EMC NetWorker version 8.2.3
?       EMC Networker version  9.0.0.6

EMC recommends all customers upgrade to one of the versions mentioned above at 
the earliest opportunity. 

Link to remedies:

Customers can download software from two different locations:
https://support.emc.com/downloads/1095_NetWorker



Read and use the information in this EMC Security Advisory to assist in 
avoiding any situation that might arise from the problems described herein. If 
you have any questions regarding this product alert, contact EMC Software 
Technical Support at 1-877-534-2867.

For an explanation of Severity Ratings, refer to EMC Knowledgebase solution 
emc218831. EMC recommends all customers take into account both the base score 
and any relevant temporal and environmental scores which may impact the 
potential severity associated with particular security vulnerability.

EMC recommends that all users determine the applicability of this information 
to their individual situations and take appropriate action. The information set 
forth herein is provided "as is" without warranty of any kind. EMC disclaims 
all warranties, either express or implied, including the warranties of 
merchantability, fitness for a particular purpose, title and non-infringement. 
In no event, shall EMC or its suppliers, be liable for any damages whatsoever 
including direct, indirect, incidental, consequential, loss of business profits 
or special damages, even if EMC or its suppliers have been advised of the 
possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages, so the 
foregoing limitation may not apply.


EMC Product Security Response Center
security_alert@xxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Cygwin)

iEYEARECAAYFAldYb98ACgkQtjd2rKp+ALx6VQCggMcR90kvL5XH3aDe/AoEwO0w
lwsAoMSzbQwZE4Z8oxp+7tOkk5IlqC2n
=d6dG
-----END PGP SIGNATURE-----

Prev by Date: [security bulletin] HPSBMU03614 rev.1 - HPE Systems Insight Manager using Samba, Multiple Remote Vulnerabilities
Next by Date: ESA-2016-064: EMC Data Domain Information Disclosure Vulnerability
Previous by thread: [security bulletin] HPSBMU03614 rev.1 - HPE Systems Insight Manager using Samba, Multiple Remote Vulnerabilities
Next by thread: ESA-2016-064: EMC Data Domain Information Disclosure Vulnerability
Index(es):
- Date
- Thread