Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

DSA-2021-204: Dell EMC Avamar, Dell EMC NetWorker Virtual Edition (NVE), and Dell EMC PowerProtect DP Series Appliance or Dell EMC Integrated Data Protection Appliance (IDPA) Security Update for Multiple Vulnerabilities

Summary: Dell EMC Avamar, Dell EMC NetWorker Virtual Edition (NVE), and Dell EMC PowerProtect DP Series Appliance or Dell EMC Integrated Data Protection Appliance (IDPA) remediation is available for multiple vulnerabilities that may be exploited by malicious users to compromise the affected system. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Impact

Critical

Details

Proprietary Code CVEs Description CVSSBase Score CVSS Vector String
CVE-2021-36316 Dell EMC Avamar Server versions 18.2, 19.1, 19.2, 19.3, and 19.4 contain an improper privilege management vulnerability in AUI. A malicious user with high privileges may potentially exploit this vulnerability, leading to the disclosure of the AUI information and performing some unauthorized operation on the AUI. 6.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
CVE-2021-36317 Dell EMC Avamar Server version 19.4 contains a plain-text password storage vulnerability in AvInstaller. A local attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-36318
 		 Dell EMC Avamar versions 18.2,19.1,19.2,19.3, and 19.4 contain a plain-text password storage vulnerability. A high privileged user may potentially exploit this vulnerability, leading to a complete outage. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
 
Third-party Component CVEs More Information
Multiple Third-Party Components See Release Notes https://dl.dell.com/content/docu106677_avamar-platform-os-security-patch-rollup-2021r2-release-notes.pdf?language=en_us
Proprietary Code CVEs Description CVSSBase Score CVSS Vector String
CVE-2021-36316 Dell EMC Avamar Server versions 18.2, 19.1, 19.2, 19.3, and 19.4 contain an improper privilege management vulnerability in AUI. A malicious user with high privileges may potentially exploit this vulnerability, leading to the disclosure of the AUI information and performing some unauthorized operation on the AUI. 6.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
CVE-2021-36317 Dell EMC Avamar Server version 19.4 contains a plain-text password storage vulnerability in AvInstaller. A local attacker may potentially exploit this vulnerability, leading to the disclosure of certain user credentials. The attacker may be able to use the exposed credentials to access the vulnerable application with privileges of the compromised account. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CVE-2021-36318
 		 Dell EMC Avamar versions 18.2,19.1,19.2,19.3, and 19.4 contain a plain-text password storage vulnerability. A high privileged user may potentially exploit this vulnerability, leading to a complete outage. 6.7 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
 
Third-party Component CVEs More Information
Multiple Third-Party Components See Release Notes https://dl.dell.com/content/docu106677_avamar-platform-os-security-patch-rollup-2021r2-release-notes.pdf?language=en_us
Dell Technologies recommends all customers consider both the CVSS base score and any relevant temporal and environmental scores that may impact the potential severity associated with a particular security vulnerability.

Affected Products & Remediation

CVEs Addressed  Product Affected Versions Updated Versions Link to Update
CVE-2021-36316 Dell EMC Avamar Server 18.2 18.2.x 329036
 
19.1 19.1.x
 		 329037
19.2 19.2.x
 		 329038
19.3 19.3.x
 		 331250
19.4 19.4.x
 		 332282
Dell EMC PowerProtectData Protection Appliance (IDPA) 2.3 2.3.x 329036
2.4.x 2.4.x
2.5 2.5.x 329037
2.6.x 2.6.x 331250
2.7 2.7.x 332282
CVE-2021-36317 Dell EMC Avamar Server 19.4 19.4.x 332282
Dell EMC PowerProtect Data Protection Appliance (IDPA) 2.7 2.7.x
CVE-2021-36318 Dell EMC Avamar Server 18.2 18.2.x 332796
19.1 19.1.x 332795
19.2 19.2.x 332793
19.3 19.3.x 332792
19.4 19.4.x 333252
Dell EMC PowerProtect Data Protection Appliance (IDPA) 2.3 2.3.x 332796
2.4.x 2.4.x
2.5 2.5.x 332795
2.6.x 2.6.x 332792
2.7 2.7.x 333252
Multiple Third-Party Components
See Release Notes		 Dell EMC Avamar Server Hardware Appliance Gen4S or Gen4T Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4 Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4 AvPlatformOsRollup_2021-R2-v2.avp        
Version 19.2 running SUSE Linux Enterprise 12 SP4 Version 19.2.x running SUSE Linux Enterprise 12 SP4
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
Dell EMC Avamar Virtual Edition Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments) Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments) AvPlatformOsRollup_2021-R2-v2.avp               
Version 19.2 running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments) Version 19.2.x running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments) Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments)
Dell EMC Avamar NDMP Accelerator Version 18.2, 19.1, 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 11 SP4 Version 18.2.x, 19.1.x, 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 11 SP4
Version 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 12 SP4 Version 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 12 SP4
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
Dell EMC Avamar VMware Image Proxy Version 18.2 and 19.1 running SUSE Linux Enterprise 12 SP1 Version 18.2.x and 19.1.x running SUSE Linux Enterprise 12 SP1 Avamar Proxy Bundle 2021-R2-v2
 
Version 19.2 and 19.3 running SUSE Linux Enterprise 12 SP4 Version 19.2.x and 19.3.x running SUSE Linux Enterprise 12 SP4
Version 19.4 running SUSE Linux SUSE Linux Enterprise 12 SP5 Version 19.4.x running SUSE Linux SUSE Linux Enterprise 12 SP5
Dell EMC NetWorker Virtual Edition (NVE) Version 19.1, 19.2, and 19.3 running SUSE Linux Enterprise 11 SP4 Version 19.1.x, 19.2.x, and 19.3.x running SUSE Linux Enterprise 11 SP4 NvePlatformOsRollup_2021-R2-v2.avp
 
Version 19.4 and 19.5 running SUSE Linux Enterprise 12 SP5 Version 19.4.x and 19.5.x running SUSE Linux Enterprise 12 SP5
Dell EMC PowerProtect DP Series Appliance / Dell EMC Integrated Data Protection Appliance (IDPA) 2.3 2.3.x AvPlatformOsRollup_2021-R2-v2.avp 
2.4.x 2.4.x
2.5 2.5.x
2.6.x 2.6.x
2.7 2.7.x
 
Note:
The updated version is the version listed in the Updated Versions column applied with the OS rollup 2021-R2 or the latest OS rollup.

For CVE-2021-36316, CVE-2021-36317, and CVE-2021-36318, see KB article 69982: How to install an Avamar .avp hotfix using Avamar Installer (AVI) for instructions on applying the hotfix. It is recommended to schedule this activity.

See the following KB articles for Security Update (Rollup) Installation instructions: To schedule platform security patch installation or to upgrade your server, contact Dell EMC Customer Support at https://support.emc.com/.
CVEs Addressed  Product Affected Versions Updated Versions Link to Update
CVE-2021-36316 Dell EMC Avamar Server 18.2 18.2.x 329036
 
19.1 19.1.x
 		 329037
19.2 19.2.x
 		 329038
19.3 19.3.x
 		 331250
19.4 19.4.x
 		 332282
Dell EMC PowerProtectData Protection Appliance (IDPA) 2.3 2.3.x 329036
2.4.x 2.4.x
2.5 2.5.x 329037
2.6.x 2.6.x 331250
2.7 2.7.x 332282
CVE-2021-36317 Dell EMC Avamar Server 19.4 19.4.x 332282
Dell EMC PowerProtect Data Protection Appliance (IDPA) 2.7 2.7.x
CVE-2021-36318 Dell EMC Avamar Server 18.2 18.2.x 332796
19.1 19.1.x 332795
19.2 19.2.x 332793
19.3 19.3.x 332792
19.4 19.4.x 333252
Dell EMC PowerProtect Data Protection Appliance (IDPA) 2.3 2.3.x 332796
2.4.x 2.4.x
2.5 2.5.x 332795
2.6.x 2.6.x 332792
2.7 2.7.x 333252
Multiple Third-Party Components
See Release Notes		 Dell EMC Avamar Server Hardware Appliance Gen4S or Gen4T Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4 Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4 AvPlatformOsRollup_2021-R2-v2.avp        
Version 19.2 running SUSE Linux Enterprise 12 SP4 Version 19.2.x running SUSE Linux Enterprise 12 SP4
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
Dell EMC Avamar Virtual Edition Version 18.2 and 19.1 running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments) Version 18.2.x and 19.1.x running SUSE Linux Enterprise 11 SP4 (including Azure and AWS deployments) AvPlatformOsRollup_2021-R2-v2.avp               
Version 19.2 running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments) Version 19.2.x running SUSE Linux Enterprise 12 SP4 (including Azure and AWS deployments)
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments) Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5 (including Azure and AWS deployments)
Dell EMC Avamar NDMP Accelerator Version 18.2, 19.1, 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 11 SP4 Version 18.2.x, 19.1.x, 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 11 SP4
Version 19.2, 19.3, and 19.4 running SUSE Linux Enterprise 12 SP4 Version 19.2.x, 19.3.x, and 19.4.x running SUSE Linux Enterprise 12 SP4
Version 19.3 and 19.4 running SUSE Linux Enterprise 12 SP5 Version 19.3.x and 19.4.x running SUSE Linux Enterprise 12 SP5
Dell EMC Avamar VMware Image Proxy Version 18.2 and 19.1 running SUSE Linux Enterprise 12 SP1 Version 18.2.x and 19.1.x running SUSE Linux Enterprise 12 SP1 Avamar Proxy Bundle 2021-R2-v2
 
Version 19.2 and 19.3 running SUSE Linux Enterprise 12 SP4 Version 19.2.x and 19.3.x running SUSE Linux Enterprise 12 SP4
Version 19.4 running SUSE Linux SUSE Linux Enterprise 12 SP5 Version 19.4.x running SUSE Linux SUSE Linux Enterprise 12 SP5
Dell EMC NetWorker Virtual Edition (NVE) Version 19.1, 19.2, and 19.3 running SUSE Linux Enterprise 11 SP4 Version 19.1.x, 19.2.x, and 19.3.x running SUSE Linux Enterprise 11 SP4 NvePlatformOsRollup_2021-R2-v2.avp
 
Version 19.4 and 19.5 running SUSE Linux Enterprise 12 SP5 Version 19.4.x and 19.5.x running SUSE Linux Enterprise 12 SP5
Dell EMC PowerProtect DP Series Appliance / Dell EMC Integrated Data Protection Appliance (IDPA) 2.3 2.3.x AvPlatformOsRollup_2021-R2-v2.avp 
2.4.x 2.4.x
2.5 2.5.x
2.6.x 2.6.x
2.7 2.7.x
 
Note:
The updated version is the version listed in the Updated Versions column applied with the OS rollup 2021-R2 or the latest OS rollup.

For CVE-2021-36316, CVE-2021-36317, and CVE-2021-36318, see KB article 69982: How to install an Avamar .avp hotfix using Avamar Installer (AVI) for instructions on applying the hotfix. It is recommended to schedule this activity.

See the following KB articles for Security Update (Rollup) Installation instructions: To schedule platform security patch installation or to upgrade your server, contact Dell EMC Customer Support at https://support.emc.com/.

Revision History

RevisionDateDescription
1.02021-11-9Initial Release
1.12021-12-6Minor update to Affected Products and Remediation table. Added .x to end of versions
1.22022-01-19Minor update to Affected Products and Remediation table. Added .x to end of versions

Related Information

Dell Security Advisories and Notices
Dell Vulnerability Response Policy
CVSS Scoring Guide

Legal Disclaimer

Affected Products

Avamar, NetWorker Family, Avamar, Avamar Plug-in for NDMP, Avamar Server, Avamar Virtual Edition, PowerProtect Data Protection Software, Integrated Data Protection Appliance Family, PowerProtect Data Protection Hardware , Integrated Data Protection Appliance Software, NetWorker, Product Security Information ...
Article Properties
Article Number: 000193369
Article Type: Dell Security Advisory
Last Modified: 19 Jan 2022
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.