Security Advisory SYM09-017 Storage Foundation and High Availability Solutions patches for UNIX and Linux

Problem

Security Advisory SYM09-017 Storage Foundation and High Availability Solutions patches for UNIX and Linux

Solution

Overview
Symantec VRTSweb, a shared component shipped with many Symantec Veritas products, is susceptible to a remote code-execution vulnerability. This vulnerability is caused by the improper validation of incoming data over port 14300.

This alert is being issued in conjunction with a Security Advisory, whose details are given at the following location:  
http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091209_00 


Vulnerability TypeAffected
Remote Access (Adjacent network)Yes
Local AccessNo
Authentication RequiredNo
Exploit publicly availableNo


Affected versions
The following versions of Storage Foundation and High Availability products on the UNIX and Linux platforms are affected.


PlatformSymantec Release VersionRemediation TypeLink
AIXSF 5.0, SF 5.0 MP1, SF 5.0 MP3Apply patchhttps://vos.symantec.com/patch/detail/2911
HP-UX4.1 HP-UX 11iv2, 4.1 PH-UX 11iv2MP1, 4.1 HP-UX 11iv2MP2Apply workaround
HP-UX5.0 HP-UX 11iv2 5.0, HP-UX 11iv2 MP1, 5.0 HP-UX 11iv2 MP2Apply patchhttps://vos.symantec.com/patch/detail/2976
HP-UX5.0 HP-UX 11iv3Apply patchPHCO_40519*
HP-UX5.0.1 HP-UX 11iv3Apply patchPHCO_40520*
Solaris SPARCSF 5.0, SF 5.0 MP1, SF 5.0 MP3Apply patchhttps://vos.symantec.com/patch/detail/2909
Solaris x86SF 5.0 MP3Apply patchhttps://vos.symantec.com/patch/detail/2910
LinuxSF 4.1, SF 4.1 MP1 - MP4Apply workaround
LinuxSF 5.0, SF 5.0 MP2, SF 5.0 MP3Apply patchhttps://vos.symantec.com/patch/detail/2943


* Download these patches from  
http://www.itrc.com

Resolution
Fixes are provided in the form of patches and mitigation for various combinations of Symantec releases and platforms, as listed above.  If you are unable to apply the fixes immediately, Symantec strongly recommends implementing the workaround described in the next section as an interim measure.


Mitigation/Workaround
Block all incoming requests on default port 14300 (or the port that has been configured), except the ones that come from localhost/127.0.0.1, to reduce the risk associated with this vulnerability until the recommended fix is applied.

or

Shut down VRTSweb, which will disable Web-UI functionality that depends on it.  To shut down VRTSweb, use the following command on UNIX/Linux:
#/opt/VRTSweb/bin/webgui stop

      
Installing the patch

This section describes the steps for installing the patch on the following platforms:

AIX
HP-UX
Linux
Solaris

AIX:

    To install the patch

       If the currently installed VRTSweb is below 5.0.1.0 level, you
       must upgrade VRTSweb to 5.0.1.0 level before installing this patch.

       AIX maintenance levels and APARs can be downloaded from the
       IBM Web site:

           
    http://techsupport.services.ibm.com

        Install the VRTSweb.rte.bff patch if VRTSweb is
       already installed at fileset level 5.0.1.0


    To install the patch
      1.      Stop any Web applications and shutdown the Web server using the command:
        # /opt/VRTSweb/bin/webgui stop
        2.      Install the VRTSweb.rte.bff patch if VRTSweb is already installed at fileset level 5.0.1.0.
        3.      To apply the patch, enter the command:
          # cd <patch location>
          # installp -aXd VRTSweb.rte.bff VRTSweb
          4.      Restart the Web Server using the command:
            # /opt/VRTSweb/bin/webgui start


            HP-UX

            To install the patch
              1.      Stop any Web applications and shutdown the Web server using the command:
                # /opt/VRTSweb/bin/webgui stop
                2.      Install the patch using the command:
                  For 5.0 HP-UX 11i v2
                  # swinstall -x autoreboot=true -s <patch location> PVCO_03902
                  For 5.0 HP-UX 11i v3
                  # swinstall -x autoreboot=true -s <patch location> PHCO_40519
                  For HP-UX 5.0.1 11i v3
                  # swinstall -x autoreboot=true -s <patch location> PHCO_40520
                  3.      Verify that the patch is correctly installed using the command:
                    # swverify PVCO_03902
                    or
                    # swverify PHCO_40519
                    or
                    # swverify PHCO_40520
                    4.      Restart the Web Server using the command:
                      # /opt/VRTSweb/bin/webgui start
                      The About tab on the webgui (https://hostname:8443) of VRTSweb should show the version string as 5.5.27.0, where hostname is the server on which the patch is installed.


                      Linux


                      To install the patch
                        1.      Stop any Web applications and shutdown the Web server using the command:
                          # /opt/VRTSweb/bin/webgui stop
                          2.      Back up the file /opt/VRTSweb/catalina5/server/lib/vrtsserver.jar to another location.
                          3.      Remove the file /opt/VRTSweb/catalina5/server/lib/vrtsserver.jar.
                          4.      Download the security fix from the location given in the section Affected Versions.
                          5.      Copy the new vrtsserver.jar file to the directory /opt/VRTSweb/catalina5/server/lib/.
                          6.      Restart the Web server using the command:
                            # /opt/VRTSweb/bin/webgui start

                            Solaris:

                            To install the patch
                              1.      Stop any Web applications and shutdown the Web server using the command:
                              # /opt/VRTSweb/bin/webgui stop
                              2.      To install the patch, enter the command:
                                # cd <patch location>
                                For SPARC
                                # patchadd 142627-01
                                For x86
                                # patchadd 142628-01
                                3.      Restart the Web server using the command:
                                  # /opt/VRTSweb/bin/webgui start

                                  Removing the patch
                                  This section describes the steps for removing the patch.
                                  AIX
                                    1.      Stop any Web applications and shutdown the Web server using the command:
                                      /opt/VRTSweb/bin/webgui stop
                                      2.      To remove the patch, enter the command:
                                        # installp -r VRTSweb.rte 5.0.1.1
                                        3.      Restart the Web server using the command:
                                          # /opt/VRTSweb/bin/webgui start
                                          HP-UX
                                            1.            Stop any Web applications and shutdown the Web server using the command:
                                              /opt/VRTSweb/bin/webgui stop
                                              2.      To remove the patch, enter the command:
                                                For 5.0 HP-UX 11i v2
                                                # swremove -x autoreboot=true PVCO_03902
                                                For 5.0 HP-UX 11i v3
                                                # swremove -x autoreboot=true PHCO_40519
                                                For HP-UX 5.0.1 11i v3
                                                # swremove -x autoreboot=true PHCO_40520
                                                3.      Restart the Web server using the command:
                                                  # /opt/VRTSweb/bin/webgui start
                                                  Linux
                                                    1.      Stop any Web applications and shutdown the Web server using the command:
                                                      # /opt/VRTSweb/bin/webgui stop
                                                      2.      Remove the file /opt/VRTSweb/catalina5/server/lib/vrtsserver.jar.
                                                      3.      Copy the old vrtsserver.jar file which was earlier saved to the directory /opt/VRTSweb/catalina5/server/lib/.
                                                      4.      Restart the Web server using the command:
                                                        # /opt/VRTSweb/bin/webgui start
                                                        Solaris
                                                          1.      Stop any Web applications and shutdown the Web server using the command:
                                                            # /opt/VRTSweb/bin/webgui stop
                                                            2.      To remove the patch, enter the command:
                                                              For SPARC
                                                              # patchrm 142627-01
                                                              For x86
                                                              # patchrm 142628-01
                                                              3.      Restart the Web server using the command:
                                                                # /opt/VRTSweb/bin/webgui start



                                                                Best Practices
                                                                :
                                                                Symantec strongly recommends the following best practices:
                                                                1. Always perform a full backup prior to and after any changes to your environment.
                                                                2. Always make sure that your environment is running the latest version and patch level.
                                                                3. Perform periodic "test" restores.
                                                                4. Subscribe to technical articles.

                                                                How to Subscribe to Email Notification:

                                                                Article Subscription:
                                                                Subscribe to this TechNote for any updates that are made to this article, by clicking on the following link:   http://maillist.support.veritas.com/notification.asp?doc=337930 

                                                                Software Alerts:
                                                                If you have not received this from the Symantec Technical Support Email Notification Service, please click on the following link to subscribe to future Notifications: http://maillist.entsupport.symantec.com/subscribe.asp   




                                                                Terms of use for this information are found in Legal Notices.

                                                                Search

                                                                Survey

                                                                Did this article answer your question or resolve your issue?

                                                                No
                                                                Yes

                                                                Did this article save you the trouble of contacting technical support?

                                                                No
                                                                Yes

                                                                How can we make this article more helpful?

                                                                Email Address (Optional)