Security Advisory SYM09-017 Veritas Cluster Server Management Console 5.x patch for Linux, Solaris and Windows

  • Article ID:100022448
  • Modified Date:
  • Product(s):

Problem

Security Advisory SYM09-017 Veritas Cluster Server Management Console 5.x patch for Linux, Solaris and Windows

Solution

Overview
Veritas VRTSweb, a shared component shipped with many Veritas Veritas products, is susceptible to a remote code-execution vulnerability. This vulnerability is caused by the improper validation of incoming data over port 14300.

Other Veritas products outside of the VCS family are also affected. This alert is being issued in conjunction with a Security Advisory, whose details are given at the following location:
  https://www.veritas.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091209_00


 
Vulnerability Type Affected
Remote Access (Adjacent network) Yes
Local Access No
Authentication Required No
Exploit publicly available No


Affected versions
Veritas Cluster Server Management Console version 5.1, 5.5, and 5.5.1 on the Linux, Solaris, and Windows platforms.

Files affected by this patch
 
Operating System Files
Linux and Solaris /opt/VRTScmcm/VRTSweb/catalina5/server/lib/vrtsserver.jar
Windows - VCS Mgmt. Console 5.1 C:\Program Files\VERITAS\VRTSweb\catalina5\server\lib\vrtsserver.jar
Windows - VCS Mgmt. Console 5.1 and 5.5.1 C:\Program Files\veritas\VRTScmcm\VRTSweb\catalina5\server\lib\vrtsserver.jar



Resolution
This issue is formally resolved with the following patches:

Solaris:     https://sort.veritas.com/patch/detail/2790
Linux:   https://sort.veritas.com/patch/detail/2789
Windows:     https://sort.veritas.com/patch/detail/2764

Veritas strongly recommends applying the patches as soon as possible.   If the patch for your environment cannot be applied at this time, Veritas strongly recommends implementing the Workaround described in the next section.

For instructions about installing this patch, see the section "Installing the Patch" in the README.  

Mitigation/Workaround

Block all incoming requests on default port 14300 (or the port that has been configured), except the ones that come from localhost/127.0.0.1, to reduce the risk associated with this vulnerability until the recommended fix is applied.


or


Shut down VRTSweb, which will disable web-UI functionality that depends on it. To shut down VRTSweb, use the following commands:
UNIX/Linux:  /opt/VRTSweb/bin/webgui stop
Windows:  From the cmd shell:  service vrtsweb stop



Installing the patch on Linux and Solaris
1. Stop VCS Management Console using the following command:
# /opt/VRTScmcm/bin/vxcmcweb stop
2. Back up the file /opt/VRTScmcm/VRTSweb/catalina5/server/lib/vrtsserver.jar to another location.
3. Remove the file /opt/VRTScmcm/VRTSweb/catalina5/server/lib/vrtsserver.jar.
4. Copy the new vrtsserver.jar file to the /opt/VRTScmcm/VRTSweb/catalina5/server/lib/ directory.
5. Start VCS Management Console using the following command:
# /opt/VRTScmcm/bin/vxcmcweb start

Installing the patch on Windows for VCS Management Console 5.1
1. Stop VCS Management Console by typing the following command in a command window:
run "net stop cmcweb"
2. Back up the file C:\Program Files\VERITAS\VRTSweb\catalina5\server\lib\vrtsserver.jar to another location.
3. Delete the file C:\Program Files\VERITAS\VRTSweb\catalina5\server\lib\vrtsserver.jar.
4. Copy the new vrtsserver.jar file to the C:\Program Files\VERITAS\VRTSweb\catalina5\server\lib\ directory.
5. Start VCS Management Console by typing the following command in a command window:
run "net start cmcweb"

Installing the patch on Windows for VCS Management Console 5.5 and 5.5.1
1. Stop VCS Management Console by typing the following command in a command window:
run "net stop cmcweb"
2. Back up the file C:\Program Files\veritas\VRTScmcm\VRTSweb\catalina5\server\lib\vrtsserver.jar to another location.
3. Delete the file C:\Program Files\veritas\VRTScmcm\VRTSweb\catalina5\server\lib\vrtsserver.jar.
4. Copy the new vrtsserver.jar file to the C:\Program Files\veritas\VRTScmcm\VRTSweb\catalina5\server\lib\ directory.
5. Start VCS Management Console by typing the following command in a command window:
run "net start cmcweb"


Best Practices:

Veritas strongly recommends the following best practices:

1. Always perform a full backup prior to and after any changes to your environment.

2. Always make sure that your environment is running the latest version and patch level.

3. Perform periodic "test" restores.
4. Subscribe to technical articles.



How to Subscribe to Email Notification:


Article Subscription:
Subscribe to this article for any updates that are made to this article, by clicking on the following link:     https://maillist.support.veritas.com/notification.asp?doc=336988


Software Alerts:
If you have not received this from the Veritas Technical Support Email Notification Service, please click on the following link to subscribe to future Notifications:  

 





Was this content helpful?

Get Support