Security Advisory SYM09-017 Storage Foundation and High Availability Solutions patches for UNIX and Linux

  • Article ID:100022614
  • Modified Date:
  • Product(s):

Problem

Security Advisory SYM09-017 Storage Foundation and High Availability Solutions patches for UNIX and Linux

Solution

Overview
Veritas VRTSweb, a shared component shipped with many Veritas Veritas products, is susceptible to a remote code-execution vulnerability. This vulnerability is caused by the improper validation of incoming data over port 14300.

This alert is being issued in conjunction with a Security Advisory, whose details are given at the following location:  
https://www.veritas.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091209_00 


Vulnerability Type Affected
Remote Access (Adjacent network) Yes
Local Access No
Authentication Required No
Exploit publicly available No


Affected versions
The following versions of Storage Foundation and High Availability products on the UNIX and Linux platforms are affected.


Platform Veritas Release Version Remediation Type Link
AIX SF 5.0, SF 5.0 MP1, SF 5.0 MP3 Apply patch https://sort.veritas.com/patch/detail/2911
HP-UX 4.1 HP-UX 11iv2, 4.1 PH-UX 11iv2MP1, 4.1 HP-UX 11iv2MP2 Apply workaround
HP-UX 5.0 HP-UX 11iv2 5.0, HP-UX 11iv2 MP1, 5.0 HP-UX 11iv2 MP2 Apply patch https://sort.veritas.com/patch/detail/2976
HP-UX 5.0 HP-UX 11iv3 Apply patch PHCO_40519*
HP-UX 5.0.1 HP-UX 11iv3 Apply patch PHCO_40520*
Solaris SPARC SF 5.0, SF 5.0 MP1, SF 5.0 MP3 Apply patch https://sort.veritas.com/patch/detail/2909
Solaris x86 SF 5.0 MP3 Apply patch https://sort.veritas.com/patch/detail/2910
Linux SF 4.1, SF 4.1 MP1 - MP4 Apply workaround
Linux SF 5.0, SF 5.0 MP2, SF 5.0 MP3 Apply patch https://sort.veritas.com/patch/detail/2943


* Download these patches from  
https://www.itrc.com

Resolution
Fixes are provided in the form of patches and mitigation for various combinations of Veritas releases and platforms, as listed above.  If you are unable to apply the fixes immediately, Veritas strongly recommends implementing the workaround described in the next section as an interim measure.


Mitigation/Workaround
Block all incoming requests on default port 14300 (or the port that has been configured), except the ones that come from localhost/127.0.0.1, to reduce the risk associated with this vulnerability until the recommended fix is applied.

or

Shut down VRTSweb, which will disable Web-UI functionality that depends on it.  To shut down VRTSweb, use the following command on UNIX/Linux:
#/opt/VRTSweb/bin/webgui stop

      
Installing the patch

This section describes the steps for installing the patch on the following platforms:

AIX
HP-UX
Linux
Solaris

AIX:

To install the patch

   If the currently installed VRTSweb is below 5.0.1.0 level, you
   must upgrade VRTSweb to 5.0.1.0 level before installing this patch.

   AIX maintenance levels and APARs can be downloaded from the
   IBM Web site:

       
https://techsupport.services.ibm.com

    Install the VRTSweb.rte.bff patch if VRTSweb is
   already installed at fileset level 5.0.1.0


To install the patch
1.      Stop any Web applications and shutdown the Web server using the command:
# /opt/VRTSweb/bin/webgui stop
2.      Install the VRTSweb.rte.bff patch if VRTSweb is already installed at fileset level 5.0.1.0.
3.      To apply the patch, enter the command:
# cd <patch location>
# installp -aXd VRTSweb.rte.bff VRTSweb
4.      Restart the Web Server using the command:
# /opt/VRTSweb/bin/webgui start


HP-UX

To install the patch
1.      Stop any Web applications and shutdown the Web server using the command:
# /opt/VRTSweb/bin/webgui stop
2.      Install the patch using the command:
For 5.0 HP-UX 11i v2
# swinstall -x autoreboot=true -s <patch location> PVCO_03902
For 5.0 HP-UX 11i v3
# swinstall -x autoreboot=true -s <patch location> PHCO_40519
For HP-UX 5.0.1 11i v3
# swinstall -x autoreboot=true -s <patch location> PHCO_40520
3.      Verify that the patch is correctly installed using the command:
# swverify PVCO_03902
or
# swverify PHCO_40519
or
# swverify PHCO_40520
4.      Restart the Web Server using the command:
# /opt/VRTSweb/bin/webgui start
The About tab on the webgui (https:// hostname:8443) of VRTSweb should show the version string as 5.5.27.0, where hostname is the server on which the patch is installed.


Linux


To install the patch
1.      Stop any Web applications and shutdown the Web server using the command:
# /opt/VRTSweb/bin/webgui stop
2.      Back up the file /opt/VRTSweb/catalina5/server/lib/vrtsserver.jar to another location.
3.      Remove the file /opt/VRTSweb/catalina5/server/lib/vrtsserver.jar.
4.      Download the security fix from the location given in the section Affected Versions.
5.      Copy the new vrtsserver.jar file to the directory /opt/VRTSweb/catalina5/server/lib/.
6.      Restart the Web server using the command:
# /opt/VRTSweb/bin/webgui start

Solaris:

To install the patch
1.      Stop any Web applications and shutdown the Web server using the command:
# /opt/VRTSweb/bin/webgui stop
2.      To install the patch, enter the command:
# cd <patch location>
For SPARC
# patchadd 142627-01
For x86
# patchadd 142628-01
3.      Restart the Web server using the command:
# /opt/VRTSweb/bin/webgui start

Removing the patch
This section describes the steps for removing the patch.
AIX
1.      Stop any Web applications and shutdown the Web server using the command:
/opt/VRTSweb/bin/webgui stop
2.      To remove the patch, enter the command:
# installp -r VRTSweb.rte 5.0.1.1
3.      Restart the Web server using the command:
# /opt/VRTSweb/bin/webgui start
HP-UX
1.            Stop any Web applications and shutdown the Web server using the command:
/opt/VRTSweb/bin/webgui stop
2.      To remove the patch, enter the command:
For 5.0 HP-UX 11i v2
# swremove -x autoreboot=true PVCO_03902
For 5.0 HP-UX 11i v3
# swremove -x autoreboot=true PHCO_40519
For HP-UX 5.0.1 11i v3
# swremove -x autoreboot=true PHCO_40520
3.      Restart the Web server using the command:
# /opt/VRTSweb/bin/webgui start
Linux
1.      Stop any Web applications and shutdown the Web server using the command:
# /opt/VRTSweb/bin/webgui stop
2.      Remove the file /opt/VRTSweb/catalina5/server/lib/vrtsserver.jar.
3.      Copy the old vrtsserver.jar file which was earlier saved to the directory /opt/VRTSweb/catalina5/server/lib/.
4.      Restart the Web server using the command:
# /opt/VRTSweb/bin/webgui start
Solaris
1.      Stop any Web applications and shutdown the Web server using the command:
# /opt/VRTSweb/bin/webgui stop
2.      To remove the patch, enter the command:
For SPARC
# patchrm 142627-01
For x86
# patchrm 142628-01
3.      Restart the Web server using the command:
# /opt/VRTSweb/bin/webgui start



Best Practices
:
Veritas strongly recommends the following best practices:
1. Always perform a full backup prior to and after any changes to your environment.
2. Always make sure that your environment is running the latest version and patch level.
3. Perform periodic "test" restores.



Was this content helpful?

Get Support