Article Number: 000193369

DSA-2021-204: Dell EMC Avamar, Dell EMC NetWorker Virtual Edition (NVE), and Dell EMC PowerProtect DP Series Appliance or Dell EMC Integrated Data Protection Appliance (IDPA) Security Update for Multiple Vulnerabilities

Summary: Dell EMC Avamar, Dell EMC NetWorker Virtual Edition (NVE), and Dell EMC PowerProtect DP Series Appliance or Dell EMC Integrated Data Protection Appliance (IDPA) remediation is available for multiple vulnerabilities that may be exploited by malicious users to compromise the affected system. ...

Article Content

Impact

Critical

Details

Proprietary Code CVEs	Description	CVSSBase Score	CVSS Vector String
CVE-2021-36316	Dell EMC Avamar Server versions 18.2, 19.1, 19.2, 19.3, and 19.4 contain an improper privilege management vulnerability in AUI. A malicious user with high privileges may potentially exploit this vulnerability, leading to the disclosure of the AUI information and performing some unauthorized operation on the AUI.	6.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
CVE-2021-36317	Dell EMC Avamar Server version 19.4 contains a plain-text password storage vulnerability in AvInstaller. A local attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.	6.7	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-36318	Dell EMC Avamar versions 18.2,19.1,19.2,19.3, and 19.4 contain a plain-text password storage vulnerability. A high privileged user may potentially exploit this vulnerability, leading to a complete outage.	6.7	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Third-party Component	CVEs	More Information
Multiple Third-Party Components	See Release Notes	https://dl.dell.com/content/docu106677_avamar-platform-os-security-patch-rollup-2021r2-release-notes.pdf?language=en_us

Proprietary Code CVEs	Description	CVSSBase Score	CVSS Vector String
CVE-2021-36316	Dell EMC Avamar Server versions 18.2, 19.1, 19.2, 19.3, and 19.4 contain an improper privilege management vulnerability in AUI. A malicious user with high privileges may potentially exploit this vulnerability, leading to the disclosure of the AUI information and performing some unauthorized operation on the AUI.	6.7	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
CVE-2021-36317	Dell EMC Avamar Server version 19.4 contains a plain-text password storage vulnerability in AvInstaller. A local attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account.	6.7	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-36318	Dell EMC Avamar versions 18.2,19.1,19.2,19.3, and 19.4 contain a plain-text password storage vulnerability. A high privileged user may potentially exploit this vulnerability, leading to a complete outage.	6.7	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Third-party Component	CVEs	More Information
Multiple Third-Party Components	See Release Notes	https://dl.dell.com/content/docu106677_avamar-platform-os-security-patch-rollup-2021r2-release-notes.pdf?language=en_us

Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products and Remediation

CVEs Addressed	Product	Affected Versions	Updated Versions	Link to Update
CVE-2021-36316	Dell EMC Avamar Server	18.2	18.2.x	329036
		19.1	19.1.x	329037
		19.2	19.2.x	329038
		19.3	19.3.x	331250
		19.4	19.4.x	332282
	Dell EMC PowerProtectData Protection Appliance (IDPA)	2.3	2.3.x	329036
		2.4.x	2.4.x	329036
		2.5	2.5.x	329037
		2.6.x	2.6.x	331250
		2.7	2.7.x	332282
CVE-2021-36317	Dell EMC Avamar Server	19.4	19.4.x	332282
CVE-2021-36317	Dell EMC PowerProtect Data Protection Appliance (IDPA)	2.7	2.7.x	332282
CVE-2021-36318	Dell EMC Avamar Server	18.2	18.2.x	332796
		19.1	19.1.x	332795
		19.2	19.2.x	332793
		19.3	19.3.x	332792
		19.4	19.4.x	333252
	Dell EMC PowerProtect Data Protection Appliance (IDPA)	2.3	2.3.x	332796
		2.4.x	2.4.x	332796
		2.5	2.5.x	332795
		2.6.x	2.6.x	332792
		2.7	2.7.x	333252
Multiple Third-Party Components See Release Notes	Dell EMC Avamar Server Hardware Appliance Gen4S or Gen4T	Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4	Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4	AvPlatformOsRollup_2021-R2-v2.avp
		Version 19.2 running SUSE Linux Enterprise 12 SP4	Version 19.2.x running SUSE Linux Enterprise 12 SP4
		Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5	Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
	Dell EMC Avamar Virtual Edition	Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments)	Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments)	AvPlatformOsRollup_2021-R2-v2.avp
		Version 19.2 running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)	Version 19.2.x running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)
		Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments)	Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments)
	Dell EMC Avamar NDMP Accelerator	Version 18.2, 19.1, 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 11 SP4	Version 18.2.x, 19.1.x, 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 11 SP4
		Version 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 12 SP4	Version 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 12 SP4
		Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5	Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
	Dell EMC Avamar VMware Image Proxy	Version 18.2 and 19.1 running SUSE Linux Enterprise 12 SP1	Version 18.2.x and 19.1.x running SUSE Linux Enterprise 12 SP1	Avamar Proxy Bundle 2021-R2-v2
		Version 19.2 and 19.3 running SUSE Linux Enterprise 12 SP4	Version 19.2.x and 19.3.x running SUSE Linux Enterprise 12 SP4
		Version 19.4 running SUSE Linux SUSE Linux Enterprise 12 SP5	Version 19.4.x running SUSE Linux SUSE Linux Enterprise 12 SP5
	Dell EMC NetWorker Virtual Edition (NVE)	Version 19.1, 19.2, and 19.3 running SUSE Linux Enterprise 11 SP4	Version 19.1.x, 19.2.x, and 19.3.x running SUSE Linux Enterprise 11 SP4	NvePlatformOsRollup_2021-R2-v2.avp
	Dell EMC NetWorker Virtual Edition (NVE)	Version 19.4 and 19.5 running SUSE Linux Enterprise 12 SP5	Version 19.4.x and 19.5.x running SUSE Linux Enterprise 12 SP5	NvePlatformOsRollup_2021-R2-v2.avp
	Dell EMC PowerProtect DP Series Appliance / Dell EMC Integrated Data Protection Appliance (IDPA)	2.3	2.3.x	AvPlatformOsRollup_2021-R2-v2.avp
		2.4.x	2.4.x
		2.5	2.5.x
		2.6.x	2.6.x
		2.7	2.7.x

Note:
The updated version is the version listed in the Updated Versions column applied with the OS rollup 2021-R2 or the latest OS rollup.

For CVE-2021-36316, CVE-2021-36317, and CVE-2021-36318, see KB article 69982: How to install an Avamar .avp hotfix using Avamar Installer (AVI) for instructions on applying the hotfix. It is recommended to schedule this activity.

See the following KB articles for Security Update (Rollup) Installation instructions:

KB 169784: Avamar Virtual Edition: How to Install the Avamar Platform Security Rollup for Avamar Virtual Edition.
KB 52627: NetWorker Virtual Edition (NVE) : How to Install the Platform Security Rollup for NetWorker Virtual Edition.
KB 77959: Avamar Server, Avamar Proxy, Avamar NDMP Accelerator: How to install the Avamar Platform Security Rollup from the command line for installing the latest Avamar Platform Security Rollup on the Avamar Proxy.

To schedule platform security patch installation or to upgrade your server, contact Dell EMC Customer Support at https://support.emc.com/.

CVEs Addressed	Product	Affected Versions	Updated Versions	Link to Update
CVE-2021-36316	Dell EMC Avamar Server	18.2	18.2.x	329036
		19.1	19.1.x	329037
		19.2	19.2.x	329038
		19.3	19.3.x	331250
		19.4	19.4.x	332282
	Dell EMC PowerProtectData Protection Appliance (IDPA)	2.3	2.3.x	329036
		2.4.x	2.4.x	329036
		2.5	2.5.x	329037
		2.6.x	2.6.x	331250
		2.7	2.7.x	332282
CVE-2021-36317	Dell EMC Avamar Server	19.4	19.4.x	332282
CVE-2021-36317	Dell EMC PowerProtect Data Protection Appliance (IDPA)	2.7	2.7.x	332282
CVE-2021-36318	Dell EMC Avamar Server	18.2	18.2.x	332796
		19.1	19.1.x	332795
		19.2	19.2.x	332793
		19.3	19.3.x	332792
		19.4	19.4.x	333252
	Dell EMC PowerProtect Data Protection Appliance (IDPA)	2.3	2.3.x	332796
		2.4.x	2.4.x	332796
		2.5	2.5.x	332795
		2.6.x	2.6.x	332792
		2.7	2.7.x	333252
Multiple Third-Party Components See Release Notes	Dell EMC Avamar Server Hardware Appliance Gen4S or Gen4T	Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4	Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4	AvPlatformOsRollup_2021-R2-v2.avp
		Version 19.2 running SUSE Linux Enterprise 12 SP4	Version 19.2.x running SUSE Linux Enterprise 12 SP4
		Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5	Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
	Dell EMC Avamar Virtual Edition	Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments)	Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments)	AvPlatformOsRollup_2021-R2-v2.avp
		Version 19.2 running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)	Version 19.2.x running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)
		Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments)	Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments)
	Dell EMC Avamar NDMP Accelerator	Version 18.2, 19.1, 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 11 SP4	Version 18.2.x, 19.1.x, 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 11 SP4
		Version 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 12 SP4	Version 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 12 SP4
		Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5	Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
	Dell EMC Avamar VMware Image Proxy	Version 18.2 and 19.1 running SUSE Linux Enterprise 12 SP1	Version 18.2.x and 19.1.x running SUSE Linux Enterprise 12 SP1	Avamar Proxy Bundle 2021-R2-v2
		Version 19.2 and 19.3 running SUSE Linux Enterprise 12 SP4	Version 19.2.x and 19.3.x running SUSE Linux Enterprise 12 SP4
		Version 19.4 running SUSE Linux SUSE Linux Enterprise 12 SP5	Version 19.4.x running SUSE Linux SUSE Linux Enterprise 12 SP5
	Dell EMC NetWorker Virtual Edition (NVE)	Version 19.1, 19.2, and 19.3 running SUSE Linux Enterprise 11 SP4	Version 19.1.x, 19.2.x, and 19.3.x running SUSE Linux Enterprise 11 SP4	NvePlatformOsRollup_2021-R2-v2.avp
	Dell EMC NetWorker Virtual Edition (NVE)	Version 19.4 and 19.5 running SUSE Linux Enterprise 12 SP5	Version 19.4.x and 19.5.x running SUSE Linux Enterprise 12 SP5	NvePlatformOsRollup_2021-R2-v2.avp
	Dell EMC PowerProtect DP Series Appliance / Dell EMC Integrated Data Protection Appliance (IDPA)	2.3	2.3.x	AvPlatformOsRollup_2021-R2-v2.avp
		2.4.x	2.4.x
		2.5	2.5.x
		2.6.x	2.6.x
		2.7	2.7.x

KB 169784: Avamar Virtual Edition: How to Install the Avamar Platform Security Rollup for Avamar Virtual Edition.
KB 52627: NetWorker Virtual Edition (NVE) : How to Install the Platform Security Rollup for NetWorker Virtual Edition.
KB 77959: Avamar Server, Avamar Proxy, Avamar NDMP Accelerator: How to install the Avamar Platform Security Rollup from the command line for installing the latest Avamar Platform Security Rollup on the Avamar Proxy.

To schedule platform security patch installation or to upgrade your server, contact Dell EMC Customer Support at https://support.emc.com/.

Revision History

Revision	Date	Description
1.0	2021-11-9	Initial Release
1.1	2021-12-6	Minor update to Affected Products and Remediation table. Added .x to end of versions
1.2	2022-01-19	Minor update to Affected Products and Remediation table. Added .x to end of versions

Related Information

Legal Information

Article Properties

Affected Product

Avamar, NetWorker Family, Avamar, Avamar Plug-in for NDMP, Avamar Server, Avamar Virtual Edition, PowerProtect Data Protection Software, Integrated Data Protection Appliance Family, PowerProtect Data Protection Hardware , Integrated Data Protection Appliance Software, NetWorker, Product Security Information ...

Last Published Date

19 Jan 2022

Article Type

Dell Security Advisory

Welcome

Welcome to Dell